Netkiller Linux Advanced 手札

Netkiller Linux Advanced 手札

下一页

Netkiller Linux Advanced Cookbook
Mr. Neo Chan, 陈景峰
中国广东省深圳市宝安区龙华镇
518109
+86 755 29812080
+86 755 29812080
<openunix@163.com>
文档出处
http://netkiller.sf.net/
http://netkiller.hikz.com/
http://netkiller.homelinux.org/
版权 © 2006, 2007, 2008, 2009, 2010 Netkiller(Neo Chan). All rights reserved.
版权声明
转载请与作者联系，转载时请务必标明文章原始出处和作者信息及本声明。
文档最近一次更新于 Tue May 18 03:11:53 UTC 2010
内容摘要
本文档讲述Linux系统涵盖了系统管理与配置包括：
1. 域名服务器，代理服务器，防火墙,VPN
2. WEB服务器 lighttpd apache fastcgi mod_php mod_perl
3. 数据库服务器,mysql/mysql cluster postgresql
http://netkiller.sourceforge.net/linux/index.html（第 1／15 页）[21/5/2010 21:40:07]

4. 数据同步，镜像，备份，恢复
5. 系统/网络监控
6. 集群，负载均衡
对初学Linux的爱好者忠告
玩Linux最忌reboot（重新启动）这是windows玩家坏习惯
Linux只要接上电源你就不要再想用reboot,shutdown,halt,poweroff命令,Linux系统和
应用软件一般备有reload,reconfigure,restart/start/stop...不需要安装软件或配置服务
器后使用reboot重新引导计算机
在Linux系统里SIGHUP信号被定义为刷新配置文件,有些程序没有提供reload参数,你
可以给进程发送HUP信号,让它刷新配置文件,而不用restart.通过pkill,killall,kill 都可以
发送HUP信号例如: pkill -HUP httpd
系列文档
下面是我多年积累下来的经验整理文档供大家参考:
Netkiller Linux Basics 手札 | Netkiller Linux Advanced 手札 | Netkiller CentOS 手札 | Netkiller

FreeBSD 手札 | Netkiller Shell 手札
Netkiller Architect 手札 | Netkiller Version 手札 | Netkiller Developer 手札 | Netkiller Security 手

札 | Netkiller Database & LDAP 手札 |
Netkiller Cisco IOS 手札 | Netkiller Mail System 手札 | Netkiller Document 手札
鸣谢
目录
自述
本文目的
内容简介
读者对象
作者简介

联系作者
1. Introduction
Open Source and License
Distribution information
Linux Installation
I. System
2. Ubuntu Server Edition
3. CentOS - The Community ENTerprise Operating System
II. Network Application
4. network tools
curl / w3m / lynx
iptraf - Interactive Colorful IP LAN Monitor
5. Host
/etc/host.conf
/etc/hosts
hosts.allow / hosts.deny
/etc/resolv.conf
6. IP And Router
netmask
iproute2
添加路由
删除路由
变更路由
增加默认路由
cache
策略路由
负载均衡
MASQUERADE
ip tunnel
VLAN
Zebra
7. DHCP
DHCP Server
dhclient
release matching connections
8. DNS/Bind
bind9
Load Balancing

view
tools
9. Proxy Server
Apache Proxy
Squid - Internet Object Cache (WWW proxy cache)
源码安装
debian/ubuntu 安装
配置
Squid 管理
禁止页面被Cache
Squid 实用案例
Web page proxy
Surrogafier
CGIproxy
PHPProxy
BBlocked
Glype
Zelune
SOCKS
Socks5
dante-server - SOCKS (v4 and v5) proxy daemon(danted)
hpsockd - HP SOCKS server
10. Point to Point
download
rtorrent - ncurses BitTorrent client based on LibTorrent
mldonkey-server - Door to the 'donkey' network
amule - client for the eD2k and Kad networks, like eMule
11. News Group (innd)
User Authentication
usenet 管理
通过SSL连接
src.rpm 安装
12. IRC - Internet Relay Chat
IRC Commands
ircd-irc2 - The original IRCNet IRC server daemon
ircd-hybrid
IRC Client
ircII - interface to the Internet Relay Chat system

13. jabber
ejabberd - Distributed, fault-tolerant Jabber/XMPP server written in Erlang
ejabberdctl
DJabberd
freetalk - A console based Jabber client
Developer
python-xmpp
14. NET SNMP (Simple Network Management Protocol)
安装SNMP
例出MBI
SNMP v3
Cacti
15. Network Authentication
Network Information Service (NIS)
安装NIS服务器
Slave NIS Server
客户机软件安装
Authentication Configuration
application example
Mount /home volume from NFS
OpenLDAP
Server
Client
User and Group Management
Kerberos
Kerberos 安装
Kerberos Server
Kerberos Client
Kerberos Management
OpenSSH Authentications
FreeRADIUS
ldap
mysql
WAP2 Enterprise
16. Sniffer
nmap - Network exploration tool and security / port scanner
tcpdump - A powerful tool for network monitoring and data acquisition
监控网络但排除 SSH 22 端口

monitor mysql tcp package

nc - TCP/IP swiss army knife
Nessus
17. OpenSSH
maximum number of authentication
disable root SSH login
Automatic SSH / SSH without password
disable password authentication
Putty
OpenSSH Tunnel
SOCKS v5 Tunnel
OpenSSH for Windows
18. Firewall
sysctl - configure kernel parameters at runtime
net.ipv4.ip_forward
iptables - administration tools for packet filtering and NAT
Getting Started
User-defined Chain
Common Chains Filtering
Interfaces
IP Addresses
Ports and Protocols
IPTables and Connection Tracking
NAT
IPV6
ulogd - The Netfilter Userspace Logging Daemon
ufw - program for managing a netfilter firewall
/etc/default/ufw
ip_forward
DHCP
Samba
Firewall GUI Tools
Shorewall Tools
Endian Firewall
Smooth Firewall
19. OpenVPN (openvpn - Virtual Private Network daemon)
Openvpn Server
Openvpn Client

OpenVPN GUI for Windows

Windows Server
Windows Client
point-to-point VPNs
源码安装
vpn 案例
20. pptpd
21. Ipsec VPN
openswan - IPSEC utilities for Openswan
strongswan - IPSec utilities for strongSwan
ipsec-tools - IPsec tools for Linux
22. Stunnel - universal SSL tunnel
III. Web Application
23. Lighttpd and fastcgi
quick install with aptitude
to compile and then install lighttpd
shell script
Module
simple-vhost
enable fastcgi
ssl
redirect
rewrite
alias.url
auth
compress module
mod_expire
status
fastcgi
PHP
Python
Perl
24. Nginx
Installing by apt-get under the debain/ubuntu
installing by source
25. LAMP
Install
Quick install apache with aptitude

XAMPP for Linux

Compile and then install Apache
Automation Installing
Apache 调优
worker
Listen
VirtualHost
Module
Output a list of modules compiled into the server.
Apache Status
Alias / AliasMatch
Redirect / RedirectMatch
Rewrite
Proxy
deflate
mod_expires
Apache Log
跟踪用户的cookie
Charset
PHP 5
Mod Perl
Error Prompt
Invalid command 'Order', perhaps misspelled or defined by a module not
included in the server configuration
Invalid command 'AuthUserFile', perhaps misspelled or defined by a
module not included in the server configuration
26. Tomcat 安装与配置
install java
install tomcat
Connector
mod_jk
mod_proxy_ajp
RewriteEngine 连接 Tomcat
Testing file
Script 1
Shell Script 2
27. Resin
安装Resin

Debian/Ubuntu
源码安装Resin
Compiling mod_caucho.so
28. Application Service
Zope
JBoss - JBoss Enterprise Middleware
29. Search Engine
Solr
Embedded Jetty
Jetty
Tomcat
solr-php-client
multicore
中文分词
Nutch
30. Web Server Optimization
ulimit
open files
php.ini
Resource Limits
File Uploads
Session Shared
PATHINFO
APC Cache (php-apc - APC (Alternative PHP Cache) module for PHP 5)
Zend Optimizer
eaccelerator
Memcached
编译安装
debian/ubuntu
khttpd
31. Web Analysis
综合测试
awstats
webalizer
32. varnish - a state-of-the-art, high-performance HTTP accelerator
Varnish Install
status
varnishadm

清除缓存
log file
IV. File Transfer, Synchronize, Storage And Backup/Restore
33. Download Tools
wget - retrieves files from the web
下载所有图片
axel - A light download accelerator - Console version
34. FTP (File Transfer Protocol)
ncftp
batch command
ncftpget
ncftpput
FileZilla
vsftpd - The Very Secure FTP Daemon
ProFTPD + MySQL / OpenLDAP 用户认证
Proftpd + MySQL
Proftpd + OpenLDAP
Pure-FTPd + LDAP + MySQL + PGSQL + Virtual-Users + Quota
35. Samba
install
smb.conf
Security consideration
by Example
share
user
test
nmblookup - NetBIOS over TCP/IP client used to lookup NetBIOS names
smbfs/smbmount/smbumount
smbclient - ftp-like client to access SMB/CIFS resources on servers
显示共享目录
访问共享资源
用户登录
smbtar - shell script for backing up SMB/CIFS shares directly to UNIX tape drives
FAQ
smbd/service.c:make_connection_snum(1013)
36. File Synchronize
rsync - fast remote file copy program (like rcp)
install with source

install with aptitude

upload
download
mirror
step by step to learn rsync
rsync examples
rsync for windows
tsync
Unison File Synchronizer
local
remote
config
csync2 - cluster synchronization tool
server
node
test
Advanced Configuration
37. Network Storage - Openfiler
Accounts
Volumes
RAID
iSCSI
Quota
Shares
38. Backup / Restore
Simple Backup
Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix,
Mac and Windows.
Amanda: Open Source Backup
39. inotify
inotify-tools
Incron - cron-like daemon which handles filesystem events
inotify-tools + rsync
pyinotify
40. Distributed Filesystem
DRBD (Distributed Replicated Block Device)
disk and partition
Installation

configure
Starting
Using
Coda
GlusterFS
MogileFS
Lustre
Hadoop - HDFS
V. Monitor and Assistant
41. System
pmap - report memory map of a process
Webmin
logwatch
nmon
nulog
42. Network
Cacti
Nagios
BIG BROTHER
Bandwidth
OpenNMS
43. Web
awstats
webalizer
44. Zenoss
45. Ganglia
VI. Cluster / Load Balancing
46. Linux Virtual Server
环境配置
VS/NAT
VS/TUN
VS/DR
配置文件
ipvsadm script
debug
ipvsadm monitor
47. keepalived
安装

test
48. heartbeat+ldirectord
49. HAProxy - fast and reliable load balancing reverse proxy
VII. Multimedia
50. ImageMagick
install
convert
批量转换
resize
51. GraphicsMagick
52. How to add metadata to digital pictures from the command line
53. broadcast streaming
gnump3d - A streaming server for MP3 and OGG files
icecast2 - Ogg Vorbis and MP3 streaming media server
installation from source
shoutcast
PeerCast
54. To convert multimedia format
To convert .rm files to .mp3
encode to Macromedia Flash format
55. Voice over IP
Gnu Gatekeeper
Gnu Gatekeeper Install
Gnu Gatekeeper Configure
Gnu Gatekeeper Test
Asterisk (OpenSource Linux PBX that supports both SIP and H.323)
OpenSER SIP Server
56. Open Source Distributed Computing
Boinc (berkeley 分布式计算平台)
ubuntu apt-get 安装
rc.local
A. 附录
参考文档
Linux 下载排名
B. 历史记录
表格清单

1.1. Linux partition

18.1. net.ipv4.ip_forward
37.1. Volume Group Management
范例清单
19.1. server.conf
19.2. client.conf
19.3. server.ovpn
19.4. client.ovpn
19.5. openvpn.conf
19.6. office.conf
19.7. home.ovpn
23.1. /etc/init.d/lighttpd
23.2. fastcgi.conf
25.1. index.php
25.2. php memcache
25.3. php openssl
25.4. autolamp.sh
25.5. mod_perl.conf
26.1. /etc/profile.d/java.sh
26.2. /etc/rc.d/init.d/www
29.1. /etc/profile.d/java.sh
30.1. /etc/init.d/memcached
36.1. examples
36.2. backup to a central backup server with 7 day incremental
36.3. backup to a spare disk
36.4. mirroring vger CVS tree
36.5. automated backup at home
36.6. Fancy footwork with remote file lists
36.7. /etc/csync2.cfg
41.1. nmon
41.2. config.php
42.1. cacti config.php
47.1. keepalived.conf
下一页

自述

自述
自述
上一页下一页
自述
目录
本文目的
内容简介
读者对象
作者简介
联系作者
本文目的
为什么写这篇文章
有很多想法,不能实现.工作中也用不到,所以想写出来,和大家分享.有一点写一点,写得也不好,就当
学习笔记了.
这篇文档是作者8年来对工作的总结,是作者一点一滴的积累起来的，有些笔记已经丢失，所以并
不完整。
因为工作太忙整理比较缓慢。
目前的工作涉及面比较窄所以新文档比较少。
我现在花在技术上的时间越来越少，兴趣转向摄影。也想写写摄影方面的心得体会。
我想到哪写到哪,你会发现文章没一个中心,今天这里写点,明天跳过本章写其它的.
文中例子绝对多,对喜欢复制然后粘贴朋友很有用,不用动手写,也省时间.
理论的东西,网上大把,我这里就不写了,需要可以去网上查.
我爱写错别字,还有一些是打错的,如果发现请指正.
文中大部分试验是在Debian/Ubuntu/Redhat AS上完成.
http://netkiller.sourceforge.net/linux/pr01.html（第 1／2 页）[21/5/2010 21:40:10]

自述
上一页下一页
Netkiller Linux Advanced 手札起始页内容简介
http://netkiller.sourceforge.net/linux/pr01.html（第 2／2 页）[21/5/2010 21:40:10]

内容简介
内容简介
上一页自述下一页
内容简介
当前文档档容比较杂，涉及内容广泛。
慢慢我会将其中章节拆成新文档.
文档内容简介:
1. Network
2. Security
3. Web Application
4. Database
5. Storage And Backup/Restore
6. Cluster
7. Developer
上一页上一级下一页

自述起始页读者对象
http://netkiller.sourceforge.net/linux/pr01s02.html[21/5/2010 21:40:13]
读者对象
读者对象
读者对象
本文档的读者对象:
文档面向有所有读者。您可以选读您所需要的章节,无需全篇阅读,因为有些章节不一定对你有用,
用得着就翻来看看,暂时用不到的可以不看.
大体分来读者可以分为几类:
1. 架构工程师
2. 系统管理员
3. 系统支持,部署工程师
不管是谁,做什么的,我希望通过阅读这篇文档都能对你有所帮助。

内容简介起始页作者简介
http://netkiller.sourceforge.net/linux/pr01s03.html[21/5/2010 21:40:15]
作者简介
作者简介
作者简介
主页地址：http://netkiller.sourceforge.net, http://netkiller.hikz.com, http://netkiller.8800.org
陈景峰 (Neo chen) IT民工，昵称：netkiller, UNIX like爱好者,Senior PHP Software Engineer, 业

余无线电爱好者（呼号：BG7NYT）,摄影爱好者。
《PostgreSQL实用实例参考》，《Postfix 完整解决方案》，《Netkiller Linux 手札》的作者
2001年来深圳进城打工,成为一名外来务工者.
2002年我发现不能埋头苦干,埋头搞技术是不对的,还要学会"做人".
2003年这年最惨,公司拖欠工资16000元,打过两次官司2005才付清.
2004年开始加入分布式计算团队,目前成绩
2004-10月开始玩户外和摄影
2005-6月成为中国无线电运动协会会员
2006年单身生活了这么多年,终于找到归宿.
2007物价上涨,买不起房，买不起车，辛辛苦苦几十年，一下回到解放前
2008终于找到英文学习方法，，《Netkiller Developer 手札》，《Netkiller Document 手札》
2008-8-8 08:08:08 结婚,后全家迁居湖南省常德市
2009《Netkiller Database 手札》,年底拿到C1驾照
2010对电子打击乐产生兴趣，计划学习爵士鼓
http://netkiller.sourceforge.net/linux/pr01s04.html（第 1／2 页）[21/5/2010 21:40:17]

作者简介
读者对象起始页联系作者

联系作者
联系作者
联系作者
Mobile: +86 13113668890
Tel: +86 755 2981-2080
Callsign: BG7NYT QTH: Shenzhen, China
注：请不要问我安装问题！
E-Mail: openunix@163.com
IRC irc.freenode.net #ubuntu / #ubuntu-cn
Yahoo: bg7nyt
ICQ: 101888222
AIM: bg7nyt
TM/QQ: 问我
MSN: 问我
G Talk: 问我
网易泡泡：openunix
写给火腿:
也同样欢迎无线电爱好者和我QSO,我的QTH在深圳龙华苹果园10F,设备YAESU FT-50R,FT-60R,
FT-7800 144-430双段机,拉杆天线/GP天线 Nagoya MAG-79EL-3W/Yagi
如果这篇文章对你有所帮助,请寄给我一张QSL卡片,qrz.cn or qrz.com or hamcall.net
Personal Amateur Radiostations of P.R.China
ZONE CQ24 ITU44 ShenZhen, China
Best Regards, VY 73! OP. BG7NYT

联系作者

作者简介起始页第 1 章 Introduction

第 1 章 Introduction
上一页下一页
目录

Linux Installation
Debian/Ubuntu
http://www.ubuntu.com
Gentoo
http://www.gentoo.org/

GPL 你可以免费使用，但修改后必须开源。
GPLv3 你可以免费使用，但修改后必须开源，不允许加入闭源商业代码。
BSD 你可以免费使用，修改后可不开源，基本上你可以我所欲为。
Linux 中有许多BSD代码，但BSD却不能移植Linux 代码到BSD中，这是因为GPL License。
上一页下一页
联系作者起始页 Distribution information
http://netkiller.sourceforge.net/linux/ch01.html[21/5/2010 21:40:20]
上一页第 1 章 Introduction 下一页
To find your Ubuntu version: lsb_release -a
[root@localhost ~]# lsb_release -a

LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.2 (Final)
Release: 5.2
Codename: Final
neo@netkiller:~$ lsb_release -a
No LSB modules are available.

Distributor ID: Ubuntu
Description: Ubuntu 8.04.1
Release: 8.04
Codename: hardy

第 1 章 Introduction 起始页 Linux Installation
http://netkiller.sourceforge.net/linux/ch01s02.html[21/5/2010 21:40:22]
Linux Installation
Linux Installation
上一页第 1 章 Introduction 下一页
Linux Installation
partition
表 1.1. Linux partition
volume size
/ 20G
/home 30G
/opt 100G
swap memory * 2

Distribution information 起始页部分 I. System
部分 I. System
部分 I. System
上一页下一页
部分 I. System
目录
2. Ubuntu Server Edition

3. CentOS - The Community ENTerprise Operating System
上一页下一页
Linux Installation 起始页第 2 章 Ubuntu Server Edition
http://netkiller.sourceforge.net/linux/pt01.html[21/5/2010 21:40:25]
第 2 章 Ubuntu Server Edition

上一页部分 I. System 下一页

http://www.ubuntu.com/
Netkiller Ubuntu Linux 手札

部分 I. System 第 3 章 CentOS - The Community
起始页
ENTerprise Operating System
第 3 章 CentOS - The Community ENTerprise Operating System
第 3 章 CentOS - The Community ENTerprise Operating System

上一页部分 I. System 下一页
第 3 章 CentOS - The Community ENTerprise Operating

System
http://www.centos.org/
Netkiller CentOS Linux 手札

第 2 章 Ubuntu Server Edition 起始页部分 II. Network Application
部分 II. Network Application

上一页下一页

目录
4. network tools
curl / w3m / lynx
5. Host
/etc/host.conf
/etc/hosts
/etc/resolv.conf
6. IP And Router
netmask
iproute2
添加路由
删除路由
变更路由
增加默认路由
cache
策略路由
负载均衡
MASQUERADE
ip tunnel
VLAN
Zebra
7. DHCP
DHCP Server
dhclient
8. DNS/Bind
bind9
Load Balancing
view
http://netkiller.sourceforge.net/linux/pt02.html（第 1／5 页）[21/5/2010 21:40:33]

tools
9. Proxy Server
Apache Proxy
源码安装
配置
Squid 管理
Squid 实用案例
Web page proxy
Surrogafier
CGIproxy
PHPProxy
BBlocked
Glype
Zelune
SOCKS
Socks5
10. Point to Point
download
11. News Group (innd)
User Authentication
usenet 管理
通过SSL连接
src.rpm 安装
12. IRC - Internet Relay Chat
IRC Commands
ircd-hybrid
IRC Client
13. jabber


ejabberdctl
DJabberd
Developer
python-xmpp
14. NET SNMP (Simple Network Management Protocol)
安装SNMP
例出MBI
SNMP v3
Cacti
15. Network Authentication
安装NIS服务器
Slave NIS Server
application example
OpenLDAP
Server
Client
Kerberos
Kerberos 安装
Kerberos Server
Kerberos Client
Kerberos Management
FreeRADIUS
ldap
mysql
WAP2 Enterprise
16. Sniffer


Nessus
17. OpenSSH
Putty
OpenSSH Tunnel
SOCKS v5 Tunnel
OpenSSH for Windows
18. Firewall
net.ipv4.ip_forward
Getting Started
User-defined Chain
Interfaces
IP Addresses
Ports and Protocols
NAT
IPV6
/etc/default/ufw
ip_forward
DHCP
Samba
Firewall GUI Tools
Shorewall Tools
Endian Firewall
Smooth Firewall
19. OpenVPN (openvpn - Virtual Private Network daemon)
Openvpn Server
Openvpn Client

Windows Server
Windows Client
point-to-point VPNs
源码安装
vpn 案例
20. pptpd
21. Ipsec VPN
22. Stunnel - universal SSL tunnel
上一页下一页
第 3 章 CentOS - The Community 第 4 章 network tools
起始页
ENTerprise Operating System

第 4 章 network tools
上一页部分 II. Network Application 下一页
目录
curl / w3m / lynx

curl / w3m / lynx

curl
curl http://netkiller.8800.org
w3m
w3m http://netkiller.8800.org
lynx
lynx http://netkiller.8800.org

部分 II. Network Application 起始页 iptraf - Interactive Colorful IP LAN
Monitor

上一页第 4 章 network tools 下一页
[root@development ~]# yum -y install iptraf

第 4 章 network tools 起始页第 5 章 Host
第 5 章 Host
第 5 章 Host
第 5 章 Host
目录
/etc/host.conf
/etc/hosts
/etc/resolv.conf
/etc/host.conf
解析顺序配置文件
[root@development bin]# cat /etc/host.conf

order hosts,bind
首先在/etc/hosts文件中寻找，如果不存在，再去DNS服务器中寻找

iptraf - Interactive Colorful IP LAN 起始页 /etc/hosts
Monitor
/etc/hosts
/etc/hosts
上一页第 5 章 Host 下一页
/etc/hosts
IP地址后面TAB符，然后写主机地址
127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6
192.168.1.10 development.example.com development

第 5 章 Host 起始页 hosts.allow / hosts.deny
/etc/hosts.allow 和 /etc/hosts.deny
许可IP／禁止IP，相当于黑白名单

/etc/hosts 起始页 /etc/resolv.conf
/etc/resolv.conf
/etc/resolv.conf
/etc/resolv.conf
search example.com
nameserver 208.67.222.222

hosts.allow / hosts.deny 起始页第 6 章 IP And Router
第 6 章 IP And Router
目录
netmask
iproute2
添加路由
删除路由
变更路由
增加默认路由
cache
策略路由
负载均衡
MASQUERADE
ip tunnel
VLAN
Zebra
netmask
# iptab
+----------------------------------------------+
| addrs bits pref class mask |
+----------------------------------------------+
| 1 0 /32 255.255.255.255 |
| 2 1 /31 255.255.255.254 |
| 4 2 /30 255.255.255.252 |
| 8 3 /29 255.255.255.248 |
| 16 4 /28 255.255.255.240 |
| 32 5 /27 255.255.255.224 |
| 64 6 /26 255.255.255.192 |
| 128 7 /25 255.255.255.128 |
| 256 8 /24 1C 255.255.255.0 |
| 512 9 /23 2C 255.255.254.0 |
http://netkiller.sourceforge.net/linux/ch06.html（第 1／2 页）[21/5/2010 21:40:45]

| 1K 10 /22 4C 255.255.252.0 |
| 2K 11 /21 8C 255.255.248.0 |
| 4K 12 /20 16C 255.255.240.0 |
| 8K 13 /19 32C 255.255.224.0 |
| 16K 14 /18 64C 255.255.192.0 |
| 32K 15 /17 128C 255.255.128.0 |
| 64K 16 /16 1B 255.255.0.0 |
| 128K 17 /15 2B 255.254.0.0 |
| 256K 18 /14 4B 255.252.0.0 |
| 512K 19 /13 8B 255.248.0.0 |
| 1M 20 /12 16B 255.240.0.0 |
| 2M 21 /11 32B 255.224.0.0 |
| 4M 22 /10 64B 255.192.0.0 |
| 8M 23 /9 128B 255.128.0.0 |
| 16M 24 /8 1A 255.0.0.0 |
| 32M 25 /7 2A 254.0.0.0 |
| 64M 26 /6 4A 252.0.0.0 |
| 128M 27 /5 8A 248.0.0.0 |
| 256M 28 /4 16A 240.0.0.0 |
| 512M 29 /3 32A 224.0.0.0 |
| 1024M 30 /2 64A 192.0.0.0 |
| 2048M 31 /1 128A 128.0.0.0 |
| 4096M 32 /0 256A 0.0.0.0 |
+----------------------------------------------+

/etc/resolv.conf 起始页 iproute2

iproute2
iproute2
上一页第 6 章 IP And Router 下一页
iproute2
add 增加路由
del 删除路由
via 网关出口 IP地址
dev 网关出口物理设备名
添加路由
ip route add 192.168.0.0/24 via 192.168.0.1

ip route add 192.168.1.1 dev 192.168.0.1
删除路由
ip route del 192.168.0.0/24 via 192.168.0.1
变更路由
[root@router ~]# ip route

192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.47
default via 192.168.3.1 dev eth0
[root@router ~]# ip route change default via 192.168.5.1 dev eth0
[root@router ~]# ip route list

default via 192.168.5.1 dev eth0
http://netkiller.sourceforge.net/linux/ch06s02.html（第 1／2 页）[21/5/2010 21:40:47]

iproute2
增加默认路由
192.168.0.1 是我的默认路由器
ip route add default via 192.168.0.1 dev eth0
cache
ip route flush cache

第 6 章 IP And Router 起始页策略路由

策略路由
策略路由
策略路由
比如我们的LINUX有3个网卡
eth0: 192.168.1.1　　　（局域网）
eth1: 172.17.1.2　　　（default gw=172.17.1.1，可以上INTERNET）
eth2: 192.168.10.2　　（连接第二路由192.168.10.1，也可以上INTERNET）
实现两个目的
1、让192.168.1.66从第二路由上网，其他人走默认路由
2、让所有人访问192.168.1.1的FTP时，转到192.168.10.96上
配置方法：
vi /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
100 ROUTE2
# ip route default via 172.17.1.1 dev eth1

# ip route default via 192.168.10.1 dev eth2 table ROUTE2
# ip rule add from 192.168.1.66 pref 1001 table ROUTE2
# ip rule add to 192.168.10.96 pref 1002 table ROUTE2
# echo 1 >; /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -j MASQUERADE
# iptables -t nat -A PREROUTING -d 192.168.1.1 -p tcp --dport 21 -j DNAT --to
192.168.10.96
# ip route flush cache
http://phorum.study-area.org/viewtopic.php?t=10085
引用：# 對外網卡
EXT_IF="eth0"

策略路由
# HiNet IP
EXT_IP1="111.111.111.111"
EXT_MASK1="24"
GW1="111.111.111.1"
# SeedNet IP
EXT_IP2="222.222.222.222"
EXT_MASK2="24"
GW2="222.222.222.1"
# ?#93;定 ip
ip addr add $EXT_IP1/$EXT_MASK1 dev $EXT_IF
ip addr add $EXT_IP2/$EXT_MASK2 dev $EXT_IF
# ?#93;定 HiNet routing

ip rule add to $EXT_IP1/$EXT_MASK1 lookup 201
ip route add default via $GW1 dev $EXT_IF table 201
# ?#93;定 SeedNet routing

ip rule add to $EXT_IP2/$EXT_MASK2 lookup 202
ip route add default via $GW2 dev $EXT_IF table 202
# ?#93;定 Default route

ip route replace default equalize \
nexthop via $GW1 dev $EXT_IF \
nexthop via $GW2 dev $EXT_IF
# 清除 route cache
ip route flush cache
它这里的ip rule也是这么使用的

iproute2 起始页负载均衡

负载均衡
负载均衡
负载均衡
ip route add default scope global nexthop dev ppp0 nexthop dev ppp1
neo@debian:~$ sudo ip route add default scope global nexthop via 192.168.3.1 dev
eth0 weight 1 \
nexthop via 192.168.5.1 dev eth2 weight 1
neo@debian:~$ sudo ip route

default
ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

策略路由起始页 MASQUERADE
MASQUERADE
MASQUERADE
MASQUERADE
iptables–tnat–APOSTROUTING–d192.168.1.0/24–s0/0–oppp0–jMASQUERD
iptables–tnat–APOSTROUTING–s192.168.1.0/24-jSNAT–
to202.103.224.58
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#ip route add via ppp0 dev eth0

#ip route add via 202.103.224.58 dev eth0

负载均衡起始页 ip tunnel
ip tunnel
ip tunnel
ip tunnel
ipip 是IP隧道模块
过程 6.1. ip tunnel IP隧道配置步骤
1. server 1
modprobe ipip
ip tunnel add mytun mode ipip remote 220.201.35.11 local 211.100.37.167 ttl 255
ifconfig mytun 10.42.1.1
route add -net 10.42.1.0/24 dev mytun
2. server 2
modprobe ipip
ip tunnel add mytun mode ipip remote 211.100.37.167 local 220.201.35.11 ttl 255
3. nat
/sbin/iptables -t nat -A POSTROUTING -s 10.42.1.0/24 -j MASQUERADE

删除路由表
route del -net 10.42.1.0/24 dev mytun
修改IP隧道的IP

ip 伪装

ip tunnel

MASQUERADE 起始页 VLAN

VLAN
VLAN
VLAN
首先需确保加载了内核模块 802.1q
[root@development ~]# lsmod | grep 8021q

[root@development ~]# modprobe 8021q
加载后会生成目录/proc/net/vlan
[root@development ~]# cat /proc/net/vlan/config

VLAN Dev name | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD

ip tunnel 起始页 Zebra
Zebra
Zebra
Zebra
http://www.zebra.org/

VLAN 起始页第 7 章 DHCP
第 7 章 DHCP
第 7 章 DHCP
第 7 章 DHCP
目录
DHCP Server
dhclient
DHCP Server
eth0 公网ip
eth1 192.168.0.1 255.255.255.0
eth2 192.168.1.1 255.255.255.0
dhcpd.conf配置内容如下：
#Sample /etc/dhcpd.conf
default-lease-time 1200;
max-lease-time 19200;
option domain-name-servers 202.102.192.68,202.102.199.68;
#option domain-name "test.test";
ddns-update-style ad-hoc;
subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.20 192.168.0.200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20 192.168.1.200;

第 7 章 DHCP
option subnet-mask 255.255.255.0;

option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}

Zebra 起始页 dhclient

dhclient
dhclient
上一页第 7 章 DHCP 下一页
dhclient
all interface
$ sudo dhclient
eth0
$ sudo dhclient eth0

第 7 章 DHCP 起始页 release matching connections

上一页第 7 章 DHCP 下一页

windows
> ipconfig /release

> ipconfig /renew

dhclient 起始页第 8 章 DNS/Bind
第 8 章 DNS/Bind
第 8 章 DNS/Bind
第 8 章 DNS/Bind
目录
bind9
Load Balancing
view
tools
bind9
neo@master:~$ # apt-get install bind9
named.conf.local.neo.org
neo@master:~$ cat /etc/bind/named.conf.local.neo.org
zone "neo.org" in {
type master;
file "db.neo.org";
};
zone "0.16.172.in-addr.arpa" in {
type master;
file "db.172.16.0";
};
/var/cache/bind/db.neo.org
neo@master:~$ cat /var/cache/bind/db.neo.org

@ IN SOA neo.org. root.neo.org. (
200211131 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
3600000 ; expire, seconds
86400 ) ; minimum, seconds

第 8 章 DNS/Bind
NS ns.neo.org.
@ IN A 172.16.0.1
www IN A 172.16.0.1
mail IN A 172.16.0.1
@ MX 10 mail.neo.org.
/var/cache/bind/db.172.16.0
neo@master:~$ cat /var/cache/bind/db.172.16.0

@ IN SOA neo.org root.neo.org. (
2002111300 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.neo.org.
1 PTR www1.neo.org.
2 PTR www2.neo.org.
3 PTR www3.neo.org.
neo@master:~$
/etc/resolv.conf
neo@master:~$ cat /etc/resolv.conf

search neo.org
neo@master:~$

release matching connections 起始页 Load Balancing

Load Balancing
Load Balancing
上一页第 8 章 DNS/Bind 下一页
Load Balancing
Load Balancing (DNS 轮循负载均衡•••)
Bind 8

NS ns.neo.org.
@ IN A 192.168.0.1
web IN A 192.168.0.1
mail IN A 192.168.0.1
www1 IN A 172.16.0.1
www2 IN A 172.16.0.2
www3 IN A 172.16.0.3
www4 IN A 172.16.0.4
www IN CNAME www1.neo.org.

neo@master:~$
Bind 9


Load Balancing
NS ns.neo.org.
@ IN A 192.168.0.1
web IN A 192.168.0.1
mail IN A 192.168.0.1
www IN A 172.16.0.1
www IN A 172.16.0.2
www IN A 172.16.0.3
www IN A 172.16.0.4
www IN A 10.50.1.110
www IN A 10.50.1.131
www IN A 10.50.1.122
neo@master:~$

第 8 章 DNS/Bind 起始页 view

view
view
view
acl "cnc_view" {
220.250.21.86;
216.93.170.17;
216.93.160.16;
210.53.31.2;
218.104.224.106;
218.66.59.233;
218.66.102.93;
202.101.98.55;
};
view "cnc" {
match-clients { "cnc_view"; };
recursion yes;
zone "." { type hint; file "named.root"; };
zone "netkiller.org.cn" { type master; file "cnc/netkiller.org.cn" ; };
};
view "no_cnc" {
match-clients { any; };
recursion yes;
zone "netkiller.org.cn" { type master; file "telecom/netkiller.org.cn"; };
zone "." { type hint; file "named.root"; };
};

Load Balancing 起始页 tools
tools
tools
tools
nslookup
dig @<name server> <domain name>
[root@testing neo]# dig @202.96.134.133 netkiller.8800.org
; <<>> DiG 9.2.4 <<>> @202.96.134.133 netkiller.8800.org

;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47971
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;netkiller.8800.org. IN A
;; ANSWER SECTION:
netkiller.8800.org. 14353 IN A 220.201.35.11
;; AUTHORITY SECTION:
8800.org. 86398 IN NS ns1.3322.net.
8800.org. 86398 IN NS ns2.3322.net.
;; ADDITIONAL SECTION:
ns1.3322.net. 166302 IN A 61.177.95.125
ns2.3322.net. 166298 IN A 222.185.245.254
;; Query time: 4 msec

;; SERVER: 202.96.134.133#53(202.96.134.133)
;; WHEN: Fri May 11 22:25:54 2007
;; MSG SIZE rcvd: 128
[root@testing neo]#

tools

view 起始页第 9 章 Proxy Server

第 9 章 Proxy Server
目录
Apache Proxy
源码安装
配置
Squid 管理
Squid 实用案例
Web page proxy
Surrogafier
CGIproxy
PHPProxy
BBlocked
Glype
Zelune
SOCKS
Socks5
Apache Proxy
netkiller@Linux-server:/etc/apache2$ sudo a2enmod proxy

Module proxy installed; run /etc/init.d/apache2 force-reload to enable.
netkiller@Linux-server:/etc/apache2$ sudo a2enmod proxy_connect
Module proxy_connect installed; run /etc/init.d/apache2 force-reload to enable.
netkiller@Linux-server:/etc/apache2$ sudo a2enmod proxy_http
Module proxy_http installed; run /etc/init.d/apache2 force-reload to enable.
netkiller@Linux-server:/etc/apache2$
proxy.conf
ProxyRequests On
ProxyPass /mirror/1/ http://netkiller.hikz.com/
ProxyPassReverse /mirror/1/ http://netkiller.hikz.com/

netkiller@Linux-server:/etc/apache2$ cat mods-available/proxy.conf

<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow

#spammers to use your proxy to send email.
#ProxyRequests Off
ProxyRequests On
<Proxy *>
Order deny,allow
Deny from all
#Allow from .your_domain.com
Allow from all
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.

# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
CacheRoot "/var/cache/apache2/proxy"
CacheSize 5
CacheGcInterval 4
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
CacheDefaultExpire 1
# Again, you probably should change this.
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
VirtualHost
<VirtualHost *>
ServerAdmin openunix@163.com
DocumentRoot /home/netkiller/public_html
ServerName netkiller.8800.org
ErrorLog /home/netkiller/log/netkiller.8800.org-error_log
CustomLog /home/netkiller/log/netkiller.8800.org-access_log common
ProxyPass /mirror/1/ http://netkiller.hikz.com/
ProxyPassReverse /mirror/1/ http://netkiller.hikz.com/

<Location /repos>
DAV svn
SVNPath /home/netkiller/repos
</Location>
</VirtualHost>
<VirtualHost *:*>
ServerAdmin openunix@163.com
ServerName mirror.netkiller.8800.org
ErrorLog /home/netkiller/log/netkiller.8800.org-error_log
CustomLog /home/netkiller/log/netkiller.8800.org-access_log common
ProxyPass / http://netkiller.hikz.com/
ProxyPassReverse / http://netkiller.hikz.com/
</VirtualHost>
测试http://netkiller.8800.org/mirror/1/, mirror.netkiller.8800.org

tools 起始页 Squid - Internet Object Cache (WWW proxy
cache)


上一页第 9 章 Proxy Server 下一页

如果apache 安装了gzip,deflate需要开启cache_vary
cache_vary on
源码安装
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE13.tar.gz
./configure --prefix=/usr/local/squid-2.6
make all
make install
mkdir -p /usr/local/squid-2.6/var/cache
chown nobody.nobody -R /usr/local/squid-2.6/var/
ln -s /usr/local/squid-2.6 /usr/local/squid
cd /usr/local/squid
./squid -NCd1
$ sudo apt-get install squid
$ sudo apt-get install squid3

$ sudo apt-get install squidclient
配置
查看当前配置参数

当你打开squid.conf文件时，你会头大，因为文件太长了，并且已经启用了部分参数。你可以使用下面命令查看那
些参数被开启。
$ grep '^[a-z]' squid.conf
下面是安装squid3后的默认开启选项
$ grep '^[a-z]' squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid3
修改squid.conf之前请做好备份。
netkiller@Linux-server:/etc/squid$ sudo cp squid.conf squid.conf.old

netkiller@Linux-server:/etc/squid$ sudo vi squid.conf
生成自己的squid.conf文件,这样比较清晰
$ grep '^[a-z]' squid.conf.old > squid.conf
代理服务器
加入权限认证
netkiller@Linux-server:/etc/squid$ sudo htpasswd -c /etc/squid/squid_passwd neo

New password:
Re-type new password:
Adding password for user neo
netkiller@Linux-server:/etc/squid$
netkiller@Linux-server:/etc/squid$ sudo find / -name ncsa_auth

/usr/lib/squid/ncsa_auth
#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours
extension_methods REPORT MERGE MKACTIVITY CHECKOUT # subversion
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
默认端口 3128 如果你不想改squid.conf,可以使用iptables映射
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0.0.0.0 --dport 80 -j REDIRECT --to-

ports 3128
设置你的浏览器，并测试
Squid作为反向代理Cache服务器(Reverse Proxy)
这里我们将apache和squid安装在一台服务器上
过程 9.1. 配置步骤
1. 配置Apache监听端口
netkiller@Linux-server:~$ cd /etc/apache2/
netkiller@Linux-server:/etc/apache2$ sudo cp ports.conf ports.conf.old
netkiller@Linux-server:/etc/apache2$ sudo vi ports.conf
Listen 8080
Listen 443
netkiller@Linux-server:/etc/apache2$ sudo /etc/init.d/apache2 restart
* Forcing reload of apache 2.0
web
server...
[ ok ]

netkiller@Linux-server:/etc/apache2$
restart/reload后测试一下
http://localhost:8080/
2. squid 2.5 之前的版本
netkiller@Linux-server:/etc/apache2$ cd ../squid/
http_port 80
httpd_accel_host localhost
httpd_accel_port 8080
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header off
netkiller@Linux-server:/etc/squid$ sudo /etc/init.d/squid reload
* Reloading Squid configuration files
...done.
squid 2.5 之前的版本
对公网主机220.201.35.11:80做Cache
http_port 80
httpd_accel_host 220.201.35.11
httpd_accel_port 80
...done.

多台主机做Cache
http_port 80
httpd_accel_host virtual
httpd_accel_port 8080
...done.
3. squid 2.6之后版本的配置
localhost
http_port 80 defaultsite=localhost vhost transparent

cache_peer localhost parent 8080 0 no-query originserver
其它主机
http_port 80 defaultsite=192.168.1.2 vhost transparent

cache_peer 192.168.1.2 parent 80 0 no-query originserver
4. 2.7/3.0 版本
visible_hostname netkiller.8800.org
http_port 80 accel vhost vport

cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=mainsite

cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=site1
cache_peer_domain mainsite netkiller.8800.org
cache_peer_domain site1 neo.ohyeap.com
http_access allow all
5. 注意事项
ERROR
The requested URL could not be retrieved
* Access Denied
出现上面错说，关闭http_access deny all
# And finally deny all other access to this proxy
#http_access deny all
#squid.conf
#服务器IP 192.168.1.1
#监听服务器的80端口，透明代理，支持域名和IP的虚拟主机
http_port 192.168.1.1:80 transparent vhost vport
#限制同一IP客户端的最大连接数
acl OverConnLimit maxconn 16
http_access deny OverConnLimit
#防止天涯盗链，转嫁给百度
acl tianya referer_regex -i tianya
http_access deny tianya
deny_info http://www.baidu.com/logs.gif tianya
#防止被人利用为HTTP代理，设置允许访问的IP地址
acl myip dst 192.168.1.1
http_access deny !myip
#防止百度机器人爬死服务器
acl AntiBaidu req_header User-Agent Baiduspider
http_access deny AntiBaidu
#允许本地管理
acl Manager proto cache_object
acl Localhost src 127.0.0.1 192.168.1.1
http_access allow Manager Localhost
http_access deny Manager
#仅仅允许80端口的代理
acl Safe_ports port 80 # http
#Squid信息设置
visible_hostname netkiller.8800.org
cache_mgr openunix@163.com
#基本设置
cache_effective_user squid
cache_effective_group squid
tcp_recv_bufsize 65535 bytes
#2.5的反向代理加速配置
#httpd_accel_host 127.0.0.1
#httpd_accel_port 80
#httpd_accel_single_host on
#httpd_accel_uses_host_header on
#httpd_accel_with_proxy on
#2.6的反向代理加速配置
#代理到本机的80端口的服务，仅仅做为原始内容服务器
#错误文档
error_directory /usr/local/squid/share/errors/Simplify_Chinese
#单台使用，不使用该功能
icp_port 0

代理+反向代理
http_port 80 vhost vport defaultsite=220.201.35.11

http_port 88
......
......
acl Manager proto cache_object
acl Localhost src 127.0.0.1/32
acl Safe_ports port 80
acl all src 0.0.0.0/0.0.0.0
acl ACCEL_DST dst 127.0.0.1/32 220.201.35.11/32
acl ACCEL_MODE myport 80

acl PROXY_MODE myport 88
# Authentation
auth_param basic realm Please Login
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/
etc/passwd
acl VALIDUSER proxy_auth plan9
# ACCEL MODE
# -----------------------------------------------------------------------------
cache_peer_access 220.201.35.11 allow ACCEL_MODE
cache_peer_access 220.201.35.11 deny all
http_access allow ACCEL_DST Safe_ports

http_access allow PROXY_MODE VALIDUSER
http_access allow ACCEL_MODE
http_access allow Manager Localhost
http_access deny all
icp_access deny all
Squid 管理
squidclient
squidclient -- client interface to the squid cache
squidclient 使用方法
1. 运行状态信息： squidclient -p 80 mgr:info

2. 内存使用情况： squidclient -p 80 mgr:mem
3. 磁盘使用情况： squidclient -p 80 mgr:diskd
4. 已经缓存的列表： squidclient -p 80 mgr:objects. use it carefully,it may crash
5. 强制更新url：squidclient -p 80 -m PURGE http://netkiller.8800.org/index.html
6. 查看更多信息：squidclient -h 或者 squidclient -p 80 mgr:
debian:~# squidclient -p 80 mgr:squidaio_counts

HTTP/1.0 200 OK
Server: squid/2.6.STABLE5
Date: Sun, 29 Apr 2007 13:27:09 GMT
Content-Type: text/plain
Expires: Sun, 29 Apr 2007 13:27:09 GMT
Last-Modified: Sun, 29 Apr 2007 13:27:09 GMT
X-Cache: MISS from debian.example.org.example.org
X-Cache-Lookup: MISS from debian.example.org.example.org:80
Via: 1.0 debian.example.org.example.org:80 (squid/2.6.STABLE5)
Connection: close
ASYNC IO Counters:
Operation # Requests
open 0
close 0
cancel 0
write 0
read 0
stat 0
unlink 0
check_callback 0
queue 0
debian:~#
squidclient -p 80 mgr:5min
reset cache
重做 cache
mkdir /var/spool/squid
chown proxy.proxy -R /var/spool/squid
netkiller@Linux-server:~$ sudo squid -z
netkiller@Linux-server:~$ sudo squid -k reconfigure
加到head中
HTML
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache, must-revalidate">
<META HTTP-EQUIV="expires" CONTENT="Wed, 26 Feb 1978 08:21:57 GMT">
ASP
<%
Response.Expires = -1
Response.ExpiresAbsolute = Now() - 1
Response.cachecontrol = "no-cache"
%>
PHP
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
JSP
response.setHeader("Pragma","No-Cache");
response.setHeader("Cache-Control","No-Cache");
response.setDateHeader("Expires", 0);
C#中禁止cache的方法！
Response.Buffer=true;
Response.ExpiresAbsolute=System.DateTime.Now.AddSeconds(-1);
Response.Expires=0;
Response.CacheControl="no-cache";
让浏览器发送no-cache头,只需Ctrl+f5刷新
Squid 实用案例
Squid Apache/Lighttpd 在同一台服务器上
squid 与 web server 在同一台服务器上,一般情况是squid 监听80端口, web server 监听其它端口(一般是8080)
用户访问时通过80端口访问服务器.不想让用户访问8080.
1. web server
Apache httpd.conf文件Listen 8080 改成IP:Port,这样8080端口只允许本地访问
Listen 127.0.0.1:8080
lighttpd
vi /etc/lighttpd/lighttpd.conf
server.port = 8080
server.bind = "localhost"
/etc/init.d/lighttpd reload
本地测试
curl http://127.0.0.1:8080/
2. Squid

http_port 80 defaultsite=localhost vhost

cache_peer localhost parent 8080 0 no-query originserver
acl our_networks src 172.16.0.0/16

http_access allow our_networks
测试
curl http://127.0.0.1/
在其它电脑上用IE访问http://your_ip/ 可以看到你的主页
在其它电脑上用IE访问 http://ip:8080/ 应该是无法访问

3. 另一种方法是使用 iptables 实现
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP

/sbin/iptables -A INPUT -i lo -p tcp --dport 8080 -j ACCEPT
使用 nmap 工具还是可以看到8080存在的.
# nmap localhost
debian:~# nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-29 08:28 EDT

Interesting ports on localhost (127.0.0.1):
Not shown: 1670 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind

113/tcp open auth

548/tcp open afpovertcp
901/tcp open samba-swat
953/tcp open rndc
8080/tcp open http-proxy
Nmap finished: 1 IP address (1 host up) scanned in 0.268 seconds
用非 root 用户守护 Squid
squid.conf
http_port 3128 transparent vhost vport
iptables 做端口重定向
iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-

ports 3128

第 9 章 Proxy Server 起始页 Web page proxy

Web page proxy
Web page proxy

Web page proxy
Surrogafier
homepage: http://bcable.net/project.php?surrogafier
Surrogafier，安装最简便。只需要下载一个PHP文件，上传到网站的某个目录，然后从浏览器里访问这个PHP脚本，就
有了代理页面。
基本配置
# Default to simple mode when the page is loaded. [false]

define('DEFAULT_SIMPLE',true);
# Force the page to always be in simple mode (no advanced mode option). [false]
define('FORCE_SIMPLE',false);
# Width for the URL box when in simple mode (CSS "width" attribute). [300px]
define('SIMPLE_MODE_URLWIDTH','300px');
# Default value for tunnel server. []

define('DEFAULT_TUNNEL_PIP','');
# Default value for tunnel port. []
define('DEFAULT_TUNNEL_PPORT','');
# Should the tunnel fields be displayed? "false" value here will force the defaults
above [true]
define('FORCE_DEFAULT_TUNNEL',true);
# Default value for "Persistent URL" checkbox [true]

define('DEFAULT_URL_FORM',true);
# Default value for "Remove Cookies" checkbox [false]
define('DEFAULT_REMOVE_COOKIES',false);
# Default value for "Remove Referer Field" checkbox [false]
define('DEFAULT_REMOVE_REFERER',false);
# Default value for "Remove Scripts" checkbox [false]
define('DEFAULT_REMOVE_SCRIPTS',false);
# Default value for "Remove Objects" checkbox [false]
define('DEFAULT_REMOVE_OBJECTS',false);
# Default value for "Encrypt URLs" checkbox [false]
define('DEFAULT_ENCRYPT_URLS',true);
# Default value for "Encrypt Cookies" checkbox [false]
define('DEFAULT_ENCRYPT_COOKS',true);

Web page proxy
高级选项
#从代理服务器到用户的传输用gzip压缩
define('GZIP_PROXY_USER',true);
# 如果可能，在代理获取的内容也用gzip压缩
define('GZIP_PROXY_SERVER',true);
#每次访问的超时计数，由10秒增加到20秒
define('TIME_LIMIT',20);
#域名解析缓存的时间，由原来的10分钟，改为90分钟
define('DNS_CACHE_EXPIRE',90);
CGIproxy
http://www.jmarshall.com/tools/cgiproxy/
PHPProxy
http://sourceforge.net/projects/poxy/
$ wget http://nchc.dl.sourceforge.net/sourceforge/poxy/poxy-0.5b2.zip
$ unzip poxy-0.5b2.zip
http://freshmeat.net/projects/phpproxy/
BBlocked
http://www.bblocked.org/
Glype
http://www.glype.com/
Zelune

Squid - Internet Object Cache (WWW proxy 起始页 SOCKS
cache)

SOCKS
SOCKS
SOCKS
Socks5
软件包socks5-v1.0r11他的主站已经无法访问,你可以搜一下.
安装
./configure --with-threads
make
make install
1. install.
$ sudo apt-get install dante-server
2. configure.
$ sudo vim /etc/danted.conf
$ cat danted.conf | sed s/^#.*//g | sed -r /^$/d

logoutput: /tmp/socks.log
internal: eth0 port = 1080
external: 172.16.0.1
method: username none #rfc931
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
client pass {
from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
}
pass {

SOCKS
from: 0.0.0.0/0 to: 0.0.0.0/0

protocol: tcp udp
}
3. Once the config is complete. Start/Restart dante socks server:
$ sudo /etc/init.d/danted start
check to see if server is listening on 1080
$ netstat -n -a |grep 1080

tcp 0 0 172.16.0.1:1080 0.0.0.0:* LISTEN
tcp 0 0 172.16.0.1:1080 10.8.0.6:1485
TIME_WAIT
4. Make sure the firewall is open.
$ grep socks /etc/services

socks 1080/tcp # socks proxy server
socks 1080/udp
$ sudo ufw allow socks

Rule added
SSL Tunnel
internal: 127.0.0.1 port = 1080
ssh -L 1080:localhost:1080 username@yourserver
or

SOCKS
ssh user@server.com -D 1080

# -D is for Dynamic Port Forwarding.
$ sudo apt-get install hpsockd

$ sudo cp /usr/share/doc/hpsockd/examples/hpsockd.conf /etc/hpsockd.conf
$ sudo vim /etc/hpsockd.conf

Web page proxy 起始页第 10 章 Point to Point

第 10 章 Point to Point
目录
download
download
$ apt-cache search rtorrent

rtpg-www - web based front end for rTorrent
$ sudo apt-get install mldonkey-server
$ sudo cat /etc/default/mldonkey-server

# MLDonkey configuration file
# This file is loaded by /etc/init.d/mldonkey-server.
# This file is managed using ucf(1).
MLDONKEY_DIR=/var/lib/mldonkey
MLDONKEY_USER=mldonkey
MLDONKEY_GROUP=mldonkey
MLDONKEY_UMASK=0022
LAUNCH_AT_STARTUP=false
MLDONKEY_NICENESS=0
Initial Setup
Once the daemon is running, connect to it as the admin user and change the password:

$ telnet 127.0.0.1 4000

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Welcome to MLDonkey 2.8.5
Welcome on mldonkey command-line
Use ? for help
MLdonkey command-line:
> auth admin ""
Full access enabled
> passwd newpasswd
Password of user admin changed
>
$ apt-cache search amule

amule-adunanza - client for the eD2k and Kadu networks for for Fastweb clients
amule-adunanza-daemon - non-graphic version of aMule-AdunanzA, a client for the eD2k
and
amule-adunanza-utils - utilities for aMule-AdunanzA (command-line version)
amule-adunanza-utils-gui - graphic utilities for aMule-AdunanzA
amule-common - common files for the rest of aMule packages
amule-daemon - non-graphic version of aMule, a client for the eD2k and Kad networks
amule-emc - list ed2k links inside emulecollection files
amule-gnome-support - ed2k links handling support for GNOME web browsers
amule-utils - utilities for aMule (command-line version)
amule-utils-gui - graphic utilities for aMule

SOCKS 起始页第 11 章 News Group (innd)

第 11 章 News Group (innd)


目录
User Authentication
usenet 管理
通过SSL连接
src.rpm 安装
homepage: http://www.isc.org/inn.html
过程 11.1. innd
1. debian 安装
sudo apt-get install inn2
2. 配置
a. inn.conf
cd /etc/news/
chown news.news inn.conf
domain: example.org
server: localhost
fromhost: news.example.org
moderatormailer: openunix@163.com
b. storage.conf
vi storage.conf
method tradspool {
newsgroups: *
class: 0
}

c. readers.conf
vi readers.conf
auth "local" {
hosts: "*"
default: "*"
}
access "local" {
users: "*"
newsgroups: "*"
}
3. start
/etc/init.d/innd start
service innd start

Starting INND system: [ OK ]
sudo ufw allow nntp
news://news.example.org
User Authentication
过程 11.2. Authinfo
1. ckpasswd
chown root /usr/lib/news/bin/auth/passwd/ckpasswd

chmod 4555 /usr/lib/news/bin/auth/passwd/ckpasswd
2. shadow auth
$ sudo vim /etc/news/readers.conf

auth local {
auth: "ckpasswd -s"
}
access local {
users: "neo"
newsgroups: "*,!junk,!control,!control.*"
}
3. passwd file
auth local {
auth: "ckpasswd -f /etc/news/newsusers"
}
access local {
users: "neo"
newsgroups: "*,!junk,!control,!control.*"
}
4. dbm,ndbm
auth: "ckpasswd -d /etc/news/newsusers.ndbm"

第 10 章 Point to Point 起始页 usenet 管理

usenet 管理
usenet 管理
上一页第 11 章 News Group (innd) 下一页
usenet 管理
Usenet新闻组有以下几大类：
　　●comp 计算机科学及相关的话题
　　●news 一般性的新闻话题
　　●rec 个人爱好、娱乐活动、艺术话题
　　●sci 科学研究、工程技术
　　●soc 社会类话题
　　●biz 商业类话题
　　●talk 有争议的话题
　　●misc 不属于以上几类的或有交叉的话题
　　后来又增加了一类“alt”，这是一个范围较小、使用的人也较少的一个新闻组，
“alt”是“altemative” 的简写，是“替代”的意思，在这个组可以讨论各类话题。
创建组
sudo ctlinnd newgroup comp.lang.php

sudo ctlinnd newgroup comp.lang.perl
sudo ctlinnd newgroup comp.lang.python
sudo ctlinnd newgroup rec.photography

sudo ctlinnd newgroup rec.photographic.equipment
sudo ctlinnd newgroup rec.photographic.equipment.35mm
sudo ctlinnd newgroup rec.photographic.equipment.digital
sudo ctlinnd newgroup rec.photographic.equipment.lens
ctlinnd 手册
使用 ctlinnd 这个指令的大部份功能都只会在 INND 开启后才可以使用，例如
就是新增 Newsgroup ，您可以参考 ctlinnd 的系统手册。以下是一些常用的功能
解释及例子。
格式： ctlinnd newgroup [groupname]

例子： ctlinnd newgroup group.readers.discuss
　
这个作法是新增一个名为 "group.readers.discuss" 的 Newsgroup
格式： ctlinnd rmgroup [groupname]

例子： ctlinnd rmgroup group.test.unused

usenet 管理
这个指令是可以删除 [groupname] 的 Newsgroup。
格式： ctlinnd cannel [message-id]

例子： ctlinnd cancel 3BCBF4B3.8AD48C8F@linux.org.hk
　
把 Message-ID 为 "3BCBF4B3.8AD48C8F@linux.org.hk" 的文章删除，而这个 Message-ID

可以在 "View Source" 时看到，就如图二中是在 Netscape 中的画面，图中打圈
的就是 Message-ID 的位置，不过要注意是某些的 Message-ID 是包括了 "$" 号
的，这时可别忘记在 "$" 号前加上 "\" ，也就是 "\$"。
格式： ctlinnd pause [reason]

例子： ctlinnd pause maintenance
　
暂停一切的连线及不准许新的文章，这个适合作为暂时性的服务暂停。而
[reason] 部份是关键钥，您可以输入任何的 [reason] ，下文再谈。
格式： ctlinnd throttle [reason]

例子： ctlinnd throttle upgrade
　
暂停一切的连线及不准许新的文章，并且也会关闭 INND 的 "history" 檔案。
这个适合作为长时期的服务暂停。而 [reason] 部份是关键钥，您可以输入任
何的 [reason] ，下文再谈。
格式： ctlinnd go [reason]

例子： ctlinnd go maintenance
　
这个 "go" 功能是使已暂停服务的 innd 继续服务，例如是在 "pause" 或是

"throttle" 后，可以使用这个功能，但是要注意笔者刚才提过 [reason] 一事，
在 "go" 中使用的 [reason] 必须要与 "pause" 或是 "throttle" 中的 [reason] 相
同。

第 11 章 News Group (innd) 起始页通过SSL连接

通过SSL连接
通过SSL连接
通过SSL连接
$ cat /etc/news/sasl.conf
创建证书
$ sudo openssl req -new -x509 -nodes \

-out cert.pem -days 366 \
-keyout cert.pem
Generating a 1024 bit RSA private key

....................++++++
...............................++++++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Guang dong
Locality Name (eg, city) [Newbury]:Shen Zhen
Organization Name (eg, company) [My Company Ltd]:netkiller
Organizational Unit Name (eg, section) []:netkiller
Common Name (eg, your name or your server's hostname) []:netkiller.8800.org
Email Address []:openunix@163.com
设置权限
$ sudo chmod 640 cert.pem

通过SSL连接

usenet 管理起始页 src.rpm 安装

src.rpm 安装
src.rpm 安装
src.rpm 安装
下载文件
wget ftp://rpmfind.net/linux/redhat/enterprise/4/en/os/i386/SRPMS/inn-2.3.5-12.src.
rpm
cd /usr/src/redhat/SPECS
rpmbuild --ba inn.spec
cd /usr/src/redhat/RPMS/i386/
rpm -ivh *
makedbz
cd /var/lib/news
chmod 664 active
sudo -u news /usr/lib/news/bin/makedbz -i
mv history.n.dir history.dir
mv history.n.hash history.hash
mv history.n.index history.index
inncheck
sudo -u news /usr/lib/news/bin/inncheck

通过SSL连接起始页第 12 章 IRC - Internet Relay Chat
第 12 章 IRC - Internet Relay Chat


目录
IRC Commands
ircd-hybrid
IRC Client
IRC Protcol
irc://chat.freenode.net/wikipedia-zh
irc://host/channel
irc://chat.freenode.net/wikipedia-zh

src.rpm 安装起始页 IRC Commands
IRC Commands
IRC Commands
上一页第 12 章 IRC - Internet Relay Chat 下一页
IRC Commands
IRC常用命令
如果已经进入了 UTF-8 频道，却不知道自己是否正使用 UTF-8 编码，可以输入
/charset utf-8
/serv irc.freenode.net
/nick 更改昵称
/join 加入/建立聊天室
/mode +(-)i 锁住聊天室
/mode +(-)o 设定管理员权限
/knock 要求进入私人聊天室
/invite 邀请用户进入私人聊天室
/privmsg 悄悄话
/ignore 忽略
/away 暂时离开
/whois 查询用户信息
/names 列出所有在线用户
/topic 更换聊天室主题
/kick 把用户踢出聊天室
/quit 退出聊天室
IRC命令有二点值得您注意：
所有的IRC命令都是由“/”引导。
在不引起混淆的情况下，IRC命令允许简写。例如，/join 命令可以简写为/j，/jo或者/joi。

IRC Commands
/nick
更改昵称的基本方法是：/n(ick) 新的昵称
您的昵称可以包含英文字母，数字，汉字及下划线等。但是，昵称不能超过50个（每个字符和汉字都算一个字），而
且不能包含$，+，！和空格。
/nick 命令等价于工具按钮中的“改变别名”。
/join
/join命令的格式是：/j(oin) 聊天室名
如果聊天室已经存在，您就进入该聊天室。此时，/join 命令等价于聊天室列表工具按钮中的“进入”。
如果聊天室不存在，您就建立了一个新的聊天室并进入。此时，/join 命令等价于工具按钮中的“建聊天室”。
聊天室的名字可以包含英文字母，数字，汉字及下划线等。但是，不能超过50个字（每个字符和汉字都算一个字），
而且不能包含$，+，！和空格。
/mode +(-)i
/mode +(-)i 命令可以用来锁住（解锁）用户自建的聊天室（私人聊天室）。其命令格式是:/m(ode)
+i 或 /m(ode) -i
只有用户自建的聊天室才能加锁。
未经管理员邀请，其他用户不能进入私人聊天室。
/mode +(-)o
/mode +(-)o 命令可以让聊天室管理员赋予或者剥夺其他用户的管理员身份。其命令格式是：/m(ode)
+o 用户昵称或/m(ode)-o用户昵称只有聊天室管理员才能使用这个命令。
/knock
/knock 命令可以让您询问私人聊天室管理员是否可以进入该私人聊天室。其命令格式是：/k(nock) 房间名
消息]
/invite
/invite 命令可以让聊天室管理员邀请其他用户进入私人聊天室。其命令格式是:/i(nvite) 用户昵称
只有私人聊天室的管理员才能使用这个命令。
/privmsg
/privmsg 命令用来向在同一间聊天室的某个用户发送私人消息（悄悄话）。也就是说，您的消息只送给指定的人，
而不会显示给其他用户。

IRC Commands
/privmsg 命令的基本格式是： /p(rivmsg) 用户昵称消息
接受您的私人消息的用户必须和您在同一间聊天室。
“用户昵称”和“消息”这两个参数是不能省略的。
如果某个用户的昵称太长，在不会产生混淆的情况下，您可以只输入用户昵称的头几个字母，系统会进行自动匹配。
例如：聊天室里除了您之外还有两个用户，他们的昵称分别是xiaobao和softman。您若想给softman发送悄悄
话，可以在输入框里输入下面的命令：
/p s Have you etanged today?

由于xiaobao和softman的第一个字母就不一样，所以系统会把您输入的昵称“s”自动匹配为“softman”。另
外，“/p”是“/privmsg”的缩写。
/ignore
/ignore 命令用来把某个用户加入您的“坏人黑名单”。一旦某个用户进入了您的黑名单，他说的任何话都将不会显
示在您的终端上。
/ignore 命令的基本格式是：/ig(nore) 用户昵称
用户昵称所代表的用户必须和您在同一个聊天室。
/ignore 命令等价于用户列表工具按钮中的“忽略”。
如果某个用户的昵称太长，在不会产生混淆的情况下，您可以只输入用户昵称的头几个字母，系统会进行自动匹配。
在您的用户列表中，如果某个用户昵称前有一个#，表示该用户已经被您列入黑名单。
如果一个用户已经在您的黑名单中，您可以用 /ignore 用户昵称把他从黑名单中去掉。
/away
/away 命令用来把自己设为“暂时离开”状态，并可以留言给其他用户。当其他用户和您说悄悄话时，您预先设置的
留言会自动回复给其他用户。
/away 命令的基本格式是：/a(way) [留言]
“留言”这个参数是可选的。如果有这个参数，您的状态会被设置为“暂时离开”。否则，您的状态会被设置为“我回来
了”。
当您暂时离开聊天室时，用户列表中您的昵称前会出现一个?，表示您处于“离开”状态。工具按钮中的“暂时离开”也
会变为“我回来了”。
当您回来继续聊天时，您可以点击工具按钮中的“我回来了”，或者在输入框里输入 /away 命令，将自己设置为正常

状态。
/away 命令等价于工具按钮中的“暂时离开”
/whois

IRC Commands
/whois 命令用来查询某个用户的信息，包括用户的亿唐ID，IP地址，目前所在的聊天室和发呆时间。
/whois 命令的基本格式是：/w(hois) 用户昵称
/whois命令等价于用户列表工具按钮中的“查询”。
/names
/names 命令用来查看当前所有（或某个聊天室内）的在线聊天用户。其命令格式是：/na(mes) [聊天室]
/topic
/topic 命令用来设定当前聊天室的主题。
/topic 命令的基本格式是：/t(opic) 聊天室主题
只有当前聊天室的管理员（op）才有权利设定聊天室主题。
聊天室的创建者就是该聊天室的管理员。
管理员权限可以通过 /mode +o 命令转交。
/kick
/kick 命令用来把某个用户踢出当前聊天室。
/kick 命令的基本格式是：/ki(ck) 用户昵称 [消息]
只有当前聊天室的管理员（op）才有权利把其他用户踢出当前聊天室。
聊天室的创建者就是该聊天室的管理员。
管理员权限可以通过/mode +o命令转交。
请诸位网友慎用这个命令。“君子动口不动手”嘛！
/quit
/quit 命令用来退出聊天室。
/quit 命令的基本格式是：/q(uit) [消息]
“消息”这个参数是可选的。如果您指定退出时的消息，该消息会发送给当前聊天室中的其他用户。您可以使用这个消
息向其他用户道别。
/quit 命令等价于工具按钮中的“结束聊天”。

IRC Commands

第 12 章 IRC - Internet Relay Chat 起始页 ircd-irc2 - The original IRCNet IRC server
daemon



Installation
sudo apt-get install ircd-irc2
Configuration
$ sudo vim /etc/ircd/ircd.conf

$ sudo /etc/init.d/ircd-irc2 start

IRC Commands 起始页 ircd-hybrid
ircd-hybrid
ircd-hybrid
ircd-hybrid
install
netkiller@shenzhen:~$ sudo apt-get install ircd-hybrid
script file
netkiller@shenzhen:~$ /etc/init.d/ircd-hybrid
Usage: /etc/init.d/ircd-hybrid {start|stop|restart|reload|force-reload}
config file
netkiller@shenzhen:~$ sudo ls /etc/ircd-hybrid/

cresv.conf dline.conf ircd.conf ircd.motd kline.conf nresv.conf rkline.conf
rxline.conf xline.conf

ircd-irc2 - The original IRCNet IRC server 起始页 IRC Client
daemon
IRC Client
IRC Client
IRC Client
Client
TUI client
$ sudo apt-get install ircii
/etc/irc/servers
remove the string: change_this_in_etc_irc_servers
add default irc server.
172.16.0.1
running irc client
$ irc -c '#system' neo 192.168.3.9
freenode.net
$ irc -c '#debian' neo chat.freenode.net

IRC Client

ircd-hybrid 起始页第 13 章 jabber

第 13 章 jabber
第 13 章 jabber
第 13 章 jabber
目录

ejabberdctl
DJabberd
Developer
python-xmpp
jabber homepage
ejabberd - Distributed, fault-tolerant Jabber/XMPP server written

in Erlang
http://www.ejabberd.im/
1. install
$ sudo apt-get install ejabberd
2. configure.
$ sudo cp /etc/ejabberd/ejabberd.cfg /etc/ejabberd/ejabberd.cfg.old

$ sudo ls /etc/ejabberd/
ejabberd.cfg ejabberd.cfg.old ejabberd.pem inetrc
$ sudo vim /etc/ejabberd/ejabberd.cfg
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Options which are set by Debconf and managed by ucf
%% Admin user
{acl, admin, {user, "neo", "netkiller.8800.org"}}.
%% Hostname
{hosts, ["netkiller.8800.org"]}.

第 13 章 jabber
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
3. create a admin
# ejabberdctl register <username> <server> <password># ejabberdctl unregister <username>

<server>
$ sudo ejabberdctl register neo netkiller.8800.org your_password
admin page: http://localhost:5280/admin/

4. firewall
$ sudo ufw allow xmpp-server

Rule added
$ sudo ufw allow xmpp-client

Rule added
5. test
$ sudo apt-get install sendxmpp
Create config file ~/.sendxmpprc
$ vim ~/.sendxmpprc
#account@host:port password
neo@netkiller.8800.org chen
$ sudo chmod 600 .sendxmpprc

第 13 章 jabber
send messages
$ echo -n hi | sendxmpp -r echocmd neo@netkiller.8800.org
ejabberdctl
set-password
$ sudo ejabberdctl set-password eva netkiller.8800.org eva

IRC Client 起始页 DJabberd

DJabberd
DJabberd
上一页第 13 章 jabber 下一页
DJabberd
http://www.danga.com/djabberd/

第 13 章 jabber 起始页 freetalk - A console based Jabber
client

$ sudo apt-get install freetalk
$ freetalk

DJabberd 起始页 Developer
Developer
Developer
Developer
python-xmpp
$ sudo apt-get install python-xmpp
$ cat jabber.py
import xmpp
jid=xmpp.protocol.JID('neo@netkiller.8800.org')
cl=xmpp.Client(jid.getDomain(),debug=[])
cl.connect()
cl.auth(jid.getNode(),'chen')
cl.send(xmpp.protocol.Message('neo@netkiller.8800.org','hi there'))
cl.disconnect()

freetalk - A console based Jabber 第 14 章 NET SNMP (Simple
起始页
client Network Management Protocol)
第 14 章 NET SNMP (Simple Network Management Protocol)


目录
安装SNMP
例出MBI
SNMP v3
Cacti
安装SNMP
search package
netkiller@neo:~$ apt-cache search snmp

libsnmp-base - NET SNMP (Simple Network Management Protocol) MIBs and Docs
libsnmp-perl - NET SNMP (Simple Network Management Protocol) Perl5 Support
libsnmp-session-perl - Perl support for accessing SNMP-aware devices
libsnmp9 - NET SNMP (Simple Network Management Protocol) Library
libsnmp9-dev - NET SNMP (Simple Network Management Protocol) Development Files
snmp - NET SNMP (Simple Network Management Protocol) Apps
snmpd - NET SNMP (Simple Network Management Protocol) Agents
php5-snmp - SNMP module for php5
安装
netkiller@neo:~$ sudo apt-get install snmp snmpd
配置 /etc/snmp/snmpd.conf
# sec.name source community

com2sec paranoid default chen
# incl/excl subtree mask

view all included .1 80
view system included .iso.org.dod.internet.mgmt.mib-2.system

view system included .iso.org.dod.internet.mgmt.mib-2.host

view system included .iso.org.dod.internet.mgmt.mib-2.interfaces
.iso.org.dod.internet.mgmt.mib-2.host 可以使用命令 snmptranslate -Onf -IR hrStorageDescr得到
参考:http://www.mkssoftware.com/docs/man1/snmptranslate.1.asp

Developer 起始页例出MBI

例出MBI
例出MBI
上一页第 14 章 NET SNMP (Simple Network Management Protocol) 下一页
例出MBI
$ snmpwalk -c public -v 1 127.0.0.1 1.3.6.1.2.1.1
netkiller@neo:/etc/snmp$ snmpwalk -c public -v 1 127.0.0.1 1.3.6.1.2.1.1

SNMPv2-MIB::sysDescr.0 = STRING: Linux neo.example.org 2.6.17-10-server #2 SMP Tue
Dec 5 22:29:32 UTC 2006 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (120146) 0:20:01.46
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmpd.
local.conf)
SNMPv2-MIB::sysName.0 = STRING: neo.example.org
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (configure /etc/snmp/snmpd.local.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (18) 0:00:00.18
SNMPv2-MIB::sysORID.1 = OID: IF-MIB::ifMIB
SNMPv2-MIB::sysORID.2 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.3 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.4 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.5 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.6 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.7 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.8 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.9 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module to describe generic objects for
network interface sub-layers
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for managing IP and ICMP
implementations
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.7 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.9 = STRING: The management information definitions for the
SNMP User-based Security Model.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (12) 0:00:00.12
End of MIB
netkiller@neo:/etc/snmp$ snmpget -v 1 -c public localhost sysDescr.0

例出MBI
SNMPv2-MIB::sysDescr.0 = STRING: Linux neo.example.org 2.6.17-10-server #2 SMP Tue

Dec 5 22:29:32 UTC 2006 i686
netkiller@neo:/etc/snmp$
snmpget -v 1 -c public localhost sysDescr.0
snmpwalk -v 1 -c OFcx6CvN 127.0.0.1 extEntry

第 14 章 NET SNMP (Simple Network SNMP v3
起始页
Management Protocol)

SNMP v3
SNMP v3
上一页第 14 章 NET SNMP (Simple Network Management Protocol) 下一页
SNMP v3
neo@debian:~$ sudo /etc/init.d/snmpd stop

Stopping network management services: snmpd snmptrapd.
neo@debian:~$ sudo net-snmp-config --create-snmpv3-user -ro -a "netadminpassword"

netadmin
adding the following line to /var/lib/snmp/snmpd.conf:
createUser netadmin MD5 "netadminpassword" DES
adding the following line to /usr/share/snmp/snmpd.conf:
rouser netadmin
neo@debian:~$ sudo /etc/init.d/snmpd start

Starting network management services: snmpd.
test
neo@debian:~$ snmpget -v 3 -u netadmin -l authNoPriv -a MD5 -A <passwd> 127.0.0.1

sysUpTime.0
With a different password this fails:
neo@debian:~$ snmpget -v 3 -u netadmin -l authNoPriv -a MD5 -A nopasswd 127.0.0.1

sysUpTime.0
snmpget: Authentication failure (incorrect password, community or key) (Sub-id not
found: (top) -> sysUpTime)
Note that this can be stuck in a snmp.conf file in ~/.snmp:
neo@debian:~$ mkdir ~/.snmp

neo@debian:~$ vim ~/.snmp/snmp.conf
defSecurityName netadmin
defContext ""
defAuthType MD5
defSecurityLevel authNoPriv

SNMP v3
defAuthPassphrase <netadminpassword>
defVersion 3
test
neo@debian:~$ snmpget 127.0.0.1 sysUpTime.0


例出MBI 起始页 Cacti

Cacti
Cacti
第 14 章 NET SNMP (Simple Network
上一页下一页
Management Protocol)
Cacti
Cacti

SNMP v3 起始页第 15 章 Network Authentication
第 15 章 Network Authentication
目录

安装NIS服务器
Slave NIS Server
application example
OpenLDAP
Server
Client
Kerberos
Kerberos 安装
Kerberos Server
Kerberos Client
Kerberos Management
FreeRADIUS
ldap
mysql
WAP2 Enterprise
安装NIS服务器
过程 15.1. 安装NIS服务器
1. ypserv
# yum install ypserv -y
2. /etc/hosts
[root@nis ~]# hostname nis.example.com

[root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts
[root@nis ~]# cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.
127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 kerberos.example.com
192.168.3.5 nis.example.com
3. 设置NIS域名
# nisdomainname example.com
# nisdomainname
example.com
加入 /etc/rc.local 开机脚本
# echo '/bin/nisdomainname example.com' >> /etc/rc.local

# echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
4. 设置/etc/ypserv.conf主配置文件
# vim /etc/ypserv.conf
127.0.0.0/255.255.255.0 : * : * : none
192.168.3.0/255.255.255.0 : * : * : none
* : * : * : deny
5. 创建 /var/yp/securenets 文件
securenets 安全配置文件
# vim /var/yp/securenets
host 127.0.0.1
255.255.255.0 192.168.3.0
6. 启动NIS服务器

NIS服务器需要portmap服务的支持，并且需要启动ypserv和yppasswdd两个服务
[root@nis ~]# service portmap status

portmap (pid 2336)
is running...
[root@nis ~]# service ypserv start
Starting YP
server services: [ OK ]
[root@nis ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
7. 构建NIS数据库
32bit: /usr/lib/yp/ypinit -m
64bit: /usr/lib64/yp/ypinit -m
[root@nis ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. nis.example.com is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: nis.example.com
next host to add:
next host to add:
The current list of NIS servers looks like this:
nis.example.com
Is this correct? [y/n: y]

We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/example.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/example.com'

nis.example.com has been set up as a NIS master server.
Now you can run ypinit -s nis.example.com on all slave server.
检查
# ls /var/yp/
binding example.com Makefile nicknames
securenets ypservers
8. Service
[root@datacenter ~]# chkconfig --list | grep yp

ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@nis ~]# chkconfig ypserv on

[root@nis ~]# chkconfig yppasswdd on
Slave NIS Server
Now you can run ypinit -s nis.example.com on all slave server.
# ypinit -s nis.example.com
过程 15.2. 安装NIS客户端软件
1. NIS客户机需要安装ypbind和yp-tools两个软件包
# yum install ypbind yp-tools -y

2. NIS域名
# nisdomainname example.com
3. /etc/hosts
4. /etc/yp.conf
# vim /etc/yp.conf
domain example.com server nis.example.com
5. /etc/nsswitch.conf
# vim /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
hosts: files nis dns
6. 启动ypbind服务程序
[root@test ~]# service portmap status

portmap is stopped
[root@test ~]# service portmap start
Starting portmap: [ OK ]
[root@test ~]# service ypbind start
Turning on allow_ypbind SELinux boolean
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server..
7. yp-tools 测试工具

yptest 命令可对NIS服务器进行自动测试
# yptest
ypwhich 命令可显示NIS客户机所使用的NIS服务器的主机名称和数据库文件列表
# ypwhich
# ypwhich -x
ypcat命令显示数据库文件列表和指定数据库的内容
# ypcat -x
# ypcat passwd
8. NIS Client Service
# chkconfig ypbind on
# authconfig-tui
Use NIS
┌────────────────┤ Authentication Configuration ├─────────────────┐

│ │
│ User Information Authentication │
│ [ ] Cache Information [*] Use MD5 Passwords │
│ [ ] Use Hesiod [*] Use Shadow Passwords │
│ [ ] Use LDAP [ ] Use LDAP Authentication │
│ [*] Use NIS [ ] Use Kerberos │
│ [ ] Use Winbind [ ] Use SMB Authentication │

│ [ ] Use Winbind Authentication │

│ [ ] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
NIS Settings
┌─────────────────┤ NIS Settings ├─────────────────┐

│ │
│ Domain: example.com_____________________________ │
│ Server: nis.example.com_________________________ │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└──────────────────────────────────────────────────┘
application example
nis server:
在NIS服务器上创建一个test用户
# adduser test
# passwd test
# /usr/lib64/yp/ypinit -m
nis client
使用test用户登录到客户机
ssh test@client.example.com
测试

[root@test ~]# yptest

Test 1: domainname
Configured domainname is "example.com"
Test 2: ypbind
Used NIS server:
nis.example.com
Test 3: yp_match
WARNING: No such key in map (Map
passwd.byname, key nobody)
Test 4: yp_first
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
Test 5: yp_next
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash
Test 6: yp_master
nis.example.com
Test 7: yp_order
1271936660
Test 8: yp_maplist
rpc.byname
protocols.bynumber
ypservers
passwd.byname
hosts.byname
rpc.bynumber
group.bygid
services.byservicename
mail.aliases
passwd.byuid
services.byname
netid.byname
protocols.byname
group.byname
hosts.byaddr
Test 9: yp_all
neo
test
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash
1 tests failed

更改密码
$ yppasswd
Changing NIS account information for test on nis.example.com.
Please enter old password:
Changing NIS password for test on
nis.example.com.
Please enter new password:
Please retype new password:
The NIS password has been changed on nis.example.com.
-bash-3.2$ ypcat hosts

127.0.0.1 localhost.localdomain localhost
127.0.0.1 kerberos.example.com
-bash-3.2$ ypcat passwd

svnroot:!!:501:501::/home/svnroot:/bin/bash
-bash-3.2$
ypwhich
nis.example.com
ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
在NIS服务器中将“/home”输出为NFS共享目录
# vi /etc/exports
/home 192.168.3.0/24(sync,rw,no_root_squash)

重启NFS服务
# service nfs restart
在NIS客户端中挂载“/home”目录
# vi /etc/fstab
192.168.1.10:/home/ /home nfs defaults 0 0
mount home volume
# mount /home

Cacti 起始页 OpenLDAP

OpenLDAP
OpenLDAP
上一页第 15 章 Network Authentication 下一页
OpenLDAP
Server
1. First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP
management utilities:
sudo apt-get install slapd ldap-utils
By default the directory suffix will match the domain name of the server. For example, if the
machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will
be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured
using dpkg-reconfigure. Enter the following in a terminal prompt:
sudo dpkg-reconfigure slapd
2. example.com.ldif
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
ou: groups
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe

OpenLDAP
displayName: John Doe

uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
3. To add the entries to the LDAP directory use the ldapadd utility:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
We can check that the content has been correctly added with the tools from the ldap-utils
package. In order to execute a search of the LDAP directory:
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn
dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
sn: Doe
givenName: John

OpenLDAP
Just a quick explanation:
-x: will not use SASL authentication method, which is the default.
-LLL: disable printing LDIF schema information.
Client
1. libnss-ldap
sudo apt-get install libnss-ldap
2. reconfigure ldap-auth-config
sudo dpkg-reconfigure ldap-auth-config
3. auth-client-config
sudo auth-client-config -t nss -p

lac_ldap
4. pam-auth-update.
sudo pam-auth-update
sudo apt-get install ldapscripts
/etc/ldapscripts/ldapscripts.conf

OpenLDAP
SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000
Now, create the ldapscripts.passwd file to allow authenticated access to the directory:
sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"

sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

第 15 章 Network Authentication 起始页 Kerberos

Kerberos
Kerberos
Kerberos
（Kerberos: Network Authentication Protocol）
http://web.mit.edu/Kerberos/
kerberos是由MIT开发的提供网络认证服务的系统，很早就听说过它的大名，但一直没有使用过它。它可用来为网
络上的各种server提供认证服务,使得口令不再是以明文方式在网络上传输，并且联接之间通讯是加密的；它和PKI
认证的原理不一样，PKI使用公钥体制(不对称密码体制)，kerberos基于私钥体制(对称密码体制)。
Kerberos 安装
CentOS 安装
获得krb5的安装包
yum search krb5
[root@centos ~]# yum search krb5

========================================== Matched:
krb5 ===========================================
krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog
krb5-devel.i386 : Development files needed to compile Kerberos 5 programs.
krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs.
krb5-libs.i386 : The shared libraries used by Kerberos 5.
krb5-libs.x86_64 : The shared libraries used by Kerberos 5.
krb5-server.x86_64 : The KDC and related programs for Kerberos 5.
krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations.
pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5.
pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
安装

Kerberos
yum install krb5-server.i386
[root@centos ~]# yum install krb5-server

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
Package Arch
Version Repository Size
====================================================================================================
Installing:
krb5-server x86_64 1.6.1-36.
el5_4.1 updates 914 k
Transaction Summary
====================================================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 914 k

Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm |
914 kB 00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing :
krb5-server 1/1
Installed:
krb5-server.x86_64 0:1.6.1-36.el5_4.1

Kerberos
Complete!
[root@datacenter ~]#Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
Package Arch
Version Repository Size
====================================================================================================
Installing:
krb5-server x86_64 1.6.1-36.
el5_4.1 updates 914 k
Transaction Summary
====================================================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 914 k

Is this ok [y/N]: y
Downloading Packages:
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm |
914 kB 00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing :
krb5-server 1/1
Installed:
krb5-server.x86_64 0:1.6.1-36.el5_4.1
Complete!

Kerberos
yum install krb5-workstation
[root@centos ~]# yum install krb5-workstation
yum install krb5-libs
Install by apt-get
过程 15.3. installation
1. $ sudo apt-get install krb5-admin-server
2. Configuring
┌──────────────────────────────┤ Configuring krb5-admin-

server ├───────────────────────────────┐
│ │
│ Setting up a
Kerberos Realm │
│ │
│ This package contains the administrative tools required to run the
Kerberos master server. │
│ │
│ However, installing this package does not automatically set up a
Kerberos realm. This can │
│ be done later by running the
"krb5_newrealm" command. │
│ │
Kerberos
│ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and

the administration guide │
│ found in the krb5-
doc package. │
│ │
│
<Ok> │
│ │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
OK
┌───────────────────────────────┤ Configuring krb5-admin-

server ├───────────────────────────────┐
│ │
│ Kadmind serves requests to add/modify/remove principals in the
Kerberos database. │
│ │
│ It is required by the kpasswd program, used to change passwords. With
standard setups, this │
│ daemon should run on the
master KDC. │
│ │
│ Run the Kerberos V5 administration
daemon (kadmind)? │
│ │
│
<Yes> <No> │
│ │
└───────────────────────────────────────────────────────────────────────────────────────────────┘
Yes
Kerberos Server
Kerberos
过程 15.4. Kerberos Server 配置步骤
1. Create the Database
创建Kerberos的本地数据库
kdb5_util create -r EXAMPLE.COM -s
[root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
2. /etc/krb5.conf
# cp /etc/krb5.conf /etc/krb5.conf.old
# vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
Kerberos
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
检查下面配置文件 /var/kerberos/krb5kdc/kadm5.acl
[root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.COM *
格式
The format of the file is:
Kerberos_principal permissions [target_principal] [restrictions]
3. Add Administrators to the Kerberos Database
创建账号
[root@datacenter ~]# kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc admin/admin@EXAMPLE.COM
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Kerberos
Enter password for principal "admin/admin@EXAMPLE.COM":

Re-enter password for principal "admin/admin@EXAMPLE.COM":
Principal "admin/admin@EXAMPLE.COM" created.
kadmin.local:
也同样可以使用下面命令
kadmin.local -q "addprinc username/admin"
[root@datacenter ~]# kadmin.local -q "addprinc krbuser"

Authenticating as principal admin/admin@EXAMPLE.COM with password.
WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy
Enter password for principal "krbuser@EXAMPLE.COM":
Re-enter password for principal "krbuser@EXAMPLE.COM":
Principal "krbuser@EXAMPLE.COM" created.
4. Create a kadmind Keytab
[root@datacenter ~]# kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.

keytab => kadmin/admin kadmin/changepw"
kadmin.local: Principal => does not exist.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with
CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode
with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/
kadm5.keytab.
5. Start the Kerberos Daemons on the Master KDC

Kerberos
启动 Kerberos进程
[root@datacenter ~]# sudo /etc/init.d/krb524 start

Starting Kerberos 5-to-4 Server: [ OK ]
[root@datacenter ~]# sudo /etc/init.d/krb5kdc restart

Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
[root@datacenter ~]# sudo /etc/init.d/kadmin start

Starting Kerberos 5 Admin Server: [ OK ]
6. Log 文件
[root@datacenter ~]# cat /var/log/krb5kdc.log
[root@datacenter ~]# cat /var/log/krb5libs.log
[root@datacenter ~]# cat /var/log/kadmind.log
Kerberos Client
过程 15.5. Kerberos Client 配置步骤
1. Ticket Management
a. Obtaining Tickets with kinit
[root@datacenter ~]# kinit admin/admin

Password for admin/admin@EXAMPLE.COM:
b. Viewing Your Tickets with klist

Kerberos
[root@datacenter ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@EXAMPLE.COM
Valid starting Expires Service principal

03/25/10 16:15:18 03/26/10 16:15:18 krbtgt/EXAMPLE.COM@ZEXAMPLECOM
Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached
c. Destroying Your Tickets with kdestroy
[root@datacenter ~]# kdestroy

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

2. Password Management
Changing Your Password
[root@datacenter ~]# kpasswd

Enter new password:
Enter it again:
Password changed.

Kerberos
Kerberos Management
ktutil - Kerberos keytab file maintenance utility
[root@datacenter ~]# ktutil

ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 kadmin/admin@EXAMPLE.COM
3 3 kadmin/changepw@EXAMPLE.COM
ktutil: q
klist - list cached Kerberos tickets

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@EXAMPLE.COM
Valid starting Expires Service principal

03/25/10 16:53:02 03/26/10 16:53:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM
03/25/10 17:02:10 03/26/10 16:53:02 host/172.16.0.8@

Configuring the Application server system
[root@datacenter ~]# kinit admin/admin


Kerberos
[root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8"

WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy
Principal "host/172.16.0.8@EXAMPLE.COM" created.
[root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.

keytab host/172.16.0.8"
Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc
Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode
with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
[root@datacenter ~]# ktutil
ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
5 3 host/172.16.0.8@EXAMPLE.COM
6 3 host/172.16.0.8@EXAMPLE.COM
ktutil: q
[root@datacenter ~]#
Configuring the Application client system
/etc/ssh/sshd_config
KerberosAuthentication yes

OpenLDAP 起始页 FreeRADIUS

FreeRADIUS
FreeRADIUS
FreeRADIUS
I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.
● debian/ubuntu
● FreeRADIUS
● D-Link DI-624+A
some package of freeradius.
netkiller@shenzhen:~$ apt-cache search freeradius

freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
install
netkiller@shenzhen:~$ sudo apt-get install freeradius
OK, we have installed let's quickly test it. the '******' is your password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123

Sending Access-Request of id 237 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
if you can see 'Access-Accept', you have succeed
let me to input an incorrect password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123

Sending Access-Request of id 241 to 127.0.0.1 port 1812

FreeRADIUS
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 241 to 127.0.0.1 port 1812
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
you will see 'Access-Reject'.
ldap
mysql
WAP2 Enterprise
WRT54G

Kerberos 起始页第 16 章 Sniffer

第 16 章 Sniffer
第 16 章 Sniffer
第 16 章 Sniffer
目录

Nessus

nmap
$ nmap localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-19 05:20 EST

Interesting ports on localhost (127.0.0.1):
Not shown: 1689 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql

第 16 章 Sniffer
FreeRADIUS tcpdump - A powerful tool for

起始页 network monitoring and data
acquisition


上一页第 16 章 Sniffer 下一页
tcpdump - A powerful tool for network monitoring and data

acquisition
$ tcpdump -n -i eth0 port 80 or icmp or arp
tcpdump
$ sudo tcpdump -n -i eth1
$ sudo tcpdump -n not dst port 22 and not src port 22
#!/bin/bash
tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e '

while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'

第 16 章 Sniffer 起始页 nc - TCP/IP swiss army knife


tcpdump - A powerful tool for Nessus
network monitoring and data 起始页
acquisition
Nessus
Nessus
Nessus
http://www.nessus.org/

nc - TCP/IP swiss army knife 起始页第 17 章 OpenSSH
第 17 章 OpenSSH
第 17 章 OpenSSH
第 17 章 OpenSSH
目录

Putty
OpenSSH Tunnel
SOCKS v5 Tunnel
OpenSSH for Windows
安装
sudo apt-get install ssh

限制SSH验证重试次数：
# vi /etc/ssh/sshd_config
MaxAuthTries 6

Nessus 起始页 disable root SSH login

上一页第 17 章 OpenSSH 下一页

禁止root用户登录
PermitRootLogin no

第 17 章 OpenSSH 起始页 Automatic SSH / SSH without
password


config /etc/ssh/sshd_config
$ sudo vim /etc/ssh/sshd_config
AuthorizedKeysFile %h/.ssh/authorized_keys
$ sudo /etc/init.d/ssh reload
ssh-keygen
ssh-keygen -d
master server
[netkiller@master ~]$ ssh-keygen -d

Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/netkiller/.ssh/id_dsa.
Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
The key fingerprint is:
bf:a9:21:2c:82:77:2d:71:33:12:20:10:93:5f:cb:74 netkiller@master
[netkiller@master ~]$
[netkiller@master ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@master ~]$ chmod 600 .ssh/authorized_keys
[netkiller@master ~]$ ls -l .ssh/
total 12
-rw------- 1 netkiller netkiller 612 Mar 27 15:31 authorized_keys
-rw------- 1 netkiller netkiller 736 Mar 27 15:24 id_dsa
-rw-r--r-- 1 netkiller netkiller 612 Mar 27 15:24 id_dsa.pub
backup server
[netkiller@backup ~]$ ssh-keygen -d

Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Created directory '/home/netkiller/.ssh'.

Your identification has been saved in /home/netkiller/.ssh/id_dsa.

Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
c5:2f:0e:4e:b0:46:47:ec:19:30:be:9c:20:ad:9c:51 netkiller@backup
[netkiller@backup ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@backup ~]$ chmod 600 .ssh/authorized_keys
[netkiller@backup ~]$ ls -l .ssh/
total 16
-rw------- 1 netkiller netkiller 609 Mar 27 15:31 authorized_keys
-rw------- 1 netkiller netkiller 736 Mar 27 15:27 id_dsa
-rw-r--r-- 1 netkiller netkiller 609 Mar 27 15:27 id_dsa.pub
交换公钥证书
master => backup
[netkiller@master ~]$ scp .ssh/id_dsa.pub netkiller@backup.example.org:.ssh/master.

pub
netkiller@backup.example.org's password:
id_dsa.p 100% 612 0.6KB/s
00:00
[netkiller@backup ~]$ cat .ssh/master.pub >> .ssh/authorized_keys
test
[netkiller@master ~]$ ssh backup.example.org

Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:26:35 2007 from master.example.org
[netkiller@backup ~]$
master <= backup
[netkiller@backup ~]$ scp .ssh/id_dsa.pub netkiller@master.example.org:.ssh/backup.

pub
netkiller@master.example.org's password:
id_dsa.pub 100% 609 0.6KB/s
00:00
[netkiller@backup ~]$
[netkiller@master ~]$ cat .ssh/backup.pub >> .ssh/authorized_keys

test
[netkiller@backup ~]$ ssh master.example.org

Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:44:37 2007 from backup.example.org
注意：authorized_keys权限必须为600，否则可能登陆的时候还会让你输入密码，但是一旦改成600以后并且成功登
陆，此问题不再出现。
script
ssh-keygen -d
cp .ssh/id_dsa.pub .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
ls -l .ssh/

disable root SSH login 起始页 disable password authentication



建议你使用证书登录，并禁用密码认证 PasswordAuthentication yes，这样更安全，且不会骇客
穷举你的口令。
PasswordAuthentication no

Automatic SSH / SSH without 起始页 Putty
password
Putty
Putty
Putty
1. config /etc/ssh/sshd_config
$ sudo vim /etc/ssh/sshd_config
AuthorizedKeysFile %h/.ssh/authorized_keys
$ sudo /etc/init.d/ssh reload
2. ssh-keygen
neo@master:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/neo/.ssh/id_rsa):
Your identification has been saved in /home/neo/.ssh/id_rsa.
Your public key has been saved in /home/neo/.ssh/id_rsa.pub.
98:35:81:56:fd:b5:87:e4:94:e4:54:b8:b9:0a:4e:80 neo@master
3. authorized_keys
$ mv .ssh/id_rsa.pub .ssh/authorized_keys
or
$ cat .ssh/id_rsa.pub > .ssh/authorized_keys

Putty
4. PuTTYgen
Load an existing private key file
to click 'Load' button and then open 'id_rsa'
'Save public key' and 'Save private key'
closing PuTTYgen
5. Pageant
opening Pageant
to click mouse right key and then select 'Add Key', opening above private key.
6. Putty
Host Name: your ip address
Connection -> Data -> Auto-login username: your username
Connection -> SSH -> Auth -> Allow agent forwarding, you must checked it
Now, You may click 'Open' to login linux system

disable password authentication 起始页 OpenSSH Tunnel

OpenSSH Tunnel
OpenSSH Tunnel
OpenSSH Tunnel
mysql tunnel
$ ssh -L 3306:127.0.0.1:3306 user@example.org
testing
$ mysql -h 127.0.0.1 -uroot -p test
SOCKS v5 Tunnel
ssh -D 1080 <远程主机地址>

or
ssh -D 7070 <远程主机地址>
I prefer 1080 to 7070. the reason is 1080 default for SOCKS port.

Putty 起始页 OpenSSH for Windows
OpenSSH for Windows
OpenSSH for Windows

OpenSSH for Windows

homepage: http://sshwindows.sourceforge.net/

OpenSSH Tunnel 起始页第 18 章 Firewall
第 18 章 Firewall
第 18 章 Firewall
第 18 章 Firewall
目录

net.ipv4.ip_forward
Getting Started
User-defined Chain
Interfaces
IP Addresses
Ports and Protocols
NAT
IPV6
/etc/default/ufw
ip_forward
DHCP
Samba
Firewall GUI Tools
Shorewall Tools
Endian Firewall
Smooth Firewall

checking status
$ sysctl net.ipv4.ip_forward

第 18 章 Firewall
net.ipv4.ip_forward = 0
or just checking out the value in the /proc system
$ cat /proc/sys/net/ipv4/ip_forward
0
enable
sysctl -w net.ipv4.ip_forward=1
or
#redhat
echo 1 > /proc/sys/net/ipv4/ip_forward
#debian/ubuntu
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward;
disable
or

第 18 章 Firewall
without rebooting the system
net.ipv4.ip_forward
表 18.1. net.ipv4.ip_forward
user route wan

192.168.0.2 eth0:192.168.0.1 eth1:172.16.0.1 172.16.0.254
$ sysctl net.ipv4.ip_forward
try out ping host from 192.168.0.2 to 192.168.0.1 , 172.16.0.1 and 172.16.0.254
you can access 192.168.0.1 , 172.16.0.1, but 172.16.0.254 time out
try again ping 172.16.0.254

OpenSSH for Windows 起始页 iptables - administration tools for
packet filtering and NAT


上一页第 18 章 Firewall 下一页

Linux Iptables Manual
Incoming
Traffic
|
|
V
+----------+
|PREROUTING|
+----------+
| raw | <--------------+
| mangle | |
| nat | |
+----------+ |
| |
| |
Routing |
+- Decision -+ |
| | |
| | |
V V |
Local Remote |
Destination Destination |
| | |
| | |
V V |
+--------+ +---------+ |
| INPUT | | FORWARD | |
+--------+ +---------+ |
| mangle | | mangle | |
| filter | | filter | |
+--------+ +---------+ |
| | |
| | |
V | |
Local | |
Machine | |
| | |
| | |
V | |
Routing | |
Decision | |
| | |
| | |
V | |
+--------+ | |
| OUTPUT | | |
+--------+ | |
| raw | | |
| mangle | | |

| nat | | |
| filter | | |
+--------+ | |
| | |
| +-------------+ |
| | POSTROUTING | Local
+----> +-------------+ --> Traffic
| mangle |
| nat |
+-------------+
|
|
V
Outgoing
Traffic
Getting Started
Redhat / CentOS
You can check to see if iptables is installed on your system by:
[root@database ~]# rpm -q iptables

iptables-1.3.5-5.3.el5_4.1
And to see if iptables is actually running, we can check that the iptables modules are loaded and use the -L
switch to inspect the currently loaded rules:
[root@database ~]# lsmod | grep ip_tables

ip_tables 55201 2 iptable_nat,iptable_filter
x_tables 50505 6 ipt_MASQUERADE,iptable_nat,xt_state,
ipt_REJECT,xt_tcpudp,ip_tables
[root@database ~]# iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)

ACCEPT all -- anywhere 192.168.122.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-
port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-

port-unreachable
Chain OUTPUT (policy ACCEPT)

If iptables is not running, you can enable it by running:
# system-config-securitylevel
User-defined Chain
Chains List
列出规则链
列出INPUT,OUTPUT,FORWARD规则
iptables -L
列出NAT规则
iptables -t nat -L
列出过滤规则
iptables -t filter -L
Chains Refresh
刷新规则
/sbin/iptables -F
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
Chains Admin
创建新链
iptables -N netkiller
删除新链

# iptables -X netkiller
INPUT Rule Chains
OpenSSH
# Accept tcp packets on destination port 22 (SSH)

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept tcp packets on destination port 22 (SSH) from private LAN

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -
j ACCEPT
FTP
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

DNS
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
WWW
# WWW
# HTTPS
# Tomcat
SOCKS5
Mail Server
# SMTP
# SMTPS
# POP3

# POP3S
# IMAP
# IMAPS
MySQL
PostgreSQL
DHCP
iptables -A INPUT -p UDP -i eth0 --dport 67 -j ACCEPT

iptables -A INPUT -p UDP -i eth0 --dport 68 -j ACCEPT
Samba
/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 137 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 145 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 139 -j ACCEPT
ICMP
accept_redirects
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
or
# sysctl net.ipv4.conf.all.accept_redirects="0"
使自己不能ping 通 127.0.0.1
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
192.168.0.0/24 网段无法ping能本机
iptables -A INPUT -s 192.168.0.0/24 -p icmp -j DROP
禁所有机器
# iptables -A INPUT -s 0/0 -p icmp -j DROP
# ICMP(PING) 接受 ! echo-request
iptables -A INPUT -p icmp --icmp-type ! echo-request -
j ACCEPT

禁止IP访问自己
$sudo iptables -A INPUT -d 192.168.0.253 -j DROP
DENY
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j DROP
OUTPUT Rule Chains
outbound
# Open ports for outbound established connections

$IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
$IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -
j ACCEPT
ICMP
本地不允许ping 192.168.0.0/24
iptables -A OUTPUT -s 192.168.0.0/24 -p icmp -j DROP
禁所本地ping任何机器
# iptables -A OUTPUT -s 0/0 -p icmp -j DROP
# ICMP(PING) 接受 ! echo-request
iptables -A OUTPUT -p icmp --icmp-type ! echo-request -j ACCEPT
禁止自己访问某个IP
# iptables -A OUTPUT -d 192.168.0.253 -j DROP
Forward
iptables -A FORWARD -i eth1 -j ACCEPT
# Network 1 forwarded outgoing client request to network 2

iptables -A FORWARD -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -m state
--state ESTABLISHED,RELATED -j ACCEPT

TCPMSS
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Malicious Software and Spoofed IP Addresses
# The following rules drop all TCP traffic that attempts to use port 31337:
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
Interfaces
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
IP Addresses
# Accept packets from trusted IP addresses

iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask

iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -
j ACCEPT
Ports and Protocols
# Accept tcp packets on destination port 6881 (bittorrent)

iptables -A INPUT -p tcp --dport 6881 -j ACCEPT
# Accept tcp packets on destination ports 6881-6890

iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
NEW — A packet requesting a new connection, such as an HTTP request.
ESTABLISHED — A packet that is part of an existing connection.
RELATED — A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).
INVALID — A packet that is not part of any connections in the connection tracking table.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
NAT
Redirect
重定向规则
端口重定向
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2401
将80端口重定向到8080
# iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-
ports 8080
端口转发

iptables -t nat -A PREROUTING -d 192.168.3.9 -p tcp -m tcp --dport 1000 -j DNAT --
to-destination 192.168.3.137:8080
iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -d 192.168.3.137 -p tcp
-m tcp --dport 8080 -j SNAT --to-source 192.168.3.9
Postrouting and IP Masquerading
iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo iptables -t nat -I POSTROUTING -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -s 172.16.0.0/24 -d 0.0.0.0/0
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o eth1 -s 172.16.1.0/24 -
d 0.0.0.0/0
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -o eth1 -s 172.16.1.0/24 -
d 0.0.0.0/0
Prerouting
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --

to 172.31.0.23:80

If you have a default policy of DROP in your FORWARD chain, you must append a rule to forward all
incoming HTTP requests so that destination NAT routing is possible. To do this, use the following command:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
This rule forwards all incoming HTTP requests from the firewall to the intended destination; the Apache
HTTP Server behind the firewall.
DNAT and SNAT

iptables -t nat -A PREROUTING -d 202.103.96.10 -j DNAT --to-destination 192.168.0.10
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 202.96.244.56
DMZ zone
#
# DMZ zone
#
$iptables -t nat -A PREROUTING -p TCP -m multiport -i eth0 --dport
22,25,113,80,8080 -j DNAT --to 10.0.0.10
$iptables -t nat -A PREROUTING -p UDP -i eth0 --dport 25 -j DNAT --to-
destination 10.0.0.10
DNAT ppp0/eth0
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to-

destination <web server ip>
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-
destination 10.0.4.2:80
IPV6
[root@linux iptables]# modprobe ipv6

[root@linux iptables]# modprobe ip6_tables
[root@linux iptables]# [ ! -f /proc/net/ip6_tables_names ] && echo "Current
kernel doesn't support? 'ip6tables' firewalling (IPv6)!"
[root@linux iptables]# ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128
--dport 22 -j ACCEPT

第 18 章 Firewall 起始页 ulogd - The Netfilter Userspace Logging Daemon



ulogd homepage: http://www.gnumonks.org/projects/
1. Installation
$ sudo apt-get install ulogd
$ sudo apt-get install ulogd-mysql

2. Configure LOGEMU
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
3. Configure MYSQL
$ sudo vim /etc/ulogd.conf
plugin="/usr/lib/ulogd/ulogd_MYSQL.so"
[MYSQL]
table="ulog"
pass="ulog"
user="ulog"
db="ulogd"
host="localhost"
create database
neo@master:~$ mysql -u root -p -A mysql

Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.0.51a-3ubuntu5.1-log (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database ulogd;

Query OK, 1 row affected (0.07 sec)
mysql> grant all privileges on ulogd.* to ulog@localhost identified by 'ulog';

Query OK, 0 rows affected (0.09 sec)
mysql> flush privileges;


mysql> source /usr/share/doc/ulogd-mysql/mysql.table

mysql> exit;
Bye
neo@master:~$
4. Iptables
iptables -A INPUT -p tcp --dport 80 -j ULOG

iptables -A FORWARD -j ULOG
5. Starting
$ sudo /etc/init.d/ulogd start

6. testing
logemu
neo@master:~$ tail -f /var/log/ulog/syslogemu.log

Oct 20 12:54:07 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00
SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30048 DF
PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952440 WINDOW=64608 ACK URGP=0
PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK URGP=0
PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK FIN URGP=0
PROTO=TCP SPT=2087 DPT=80 SEQ=866215326 ACK=0 WINDOW=65535 SYN URGP=0
mysql
mysql> select count(*) from ulog;

+----------+
| count(*) |
+----------+
| 8 |
+----------+
1 row in set (0.03 sec)
mysql> select id, raw_mac from ulog;

+----+--------------------------------------------+
| id | raw_mac |
+----+--------------------------------------------+

| 1 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 2 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 3 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 4 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 5 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 6 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 7 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 8 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
| 9 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 |
+----+--------------------------------------------+
9 rows in set (0.00 sec)
共有四个参数可供使用：
1.--ulog-nlgroup
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
指定向哪个netlink组发送包，比如-- ulog-nlgroup 2。一共有32个netlink组，它们被简单地编号位1-32。默认值是1。
2.--ulog-prefix
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
指定记录信息的前缀，以便于区分不同的信息。使用方法和 LOG的prefix一样，只是长度可以达到32个字符。
3.--ulog-cprange
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
指定每个包要向“ULOG在用户空间的代理”发送的字节数，如--ulog-cprange 100，
表示把整个包的前100个字节拷贝到用户空间记录下来，其中包含了这个包头，还有一些包的引导数据。默认值是
0，表示拷贝整个包，不管它有多大。
4.--ulog-qthreshold
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
告诉ULOG在向用户空间发送数据以供记录之前，要在内核里收集的包的数量，如--ulog-qthreshold 10。
这表示先在内核里积聚10个包，再把它们发送到用户空间里，它们会被看作同一个netlink的信息，只是由好几部分
组成罢了。
默认值是1，这是为了向后兼容，因为以前的版本不能处理分段的信息

iptables - administration tools for packet filtering 起始页 ufw - program for managing a netfilter firewall
and NAT



1. Installation
sudo apt-get install ufw

2. Enable | Disable
sudo ufw enable | disable
neo@master:~$ sudo ufw enable

Firewall started and enabled on system startup
3. Default Rule
sudo ufw default deny
sudo ufw default allow
neo@master:~$ sudo ufw default deny

Default policy changed to 'deny'
(be sure to update your rules accordingly)
4. Rule Allow|Deny
sudo ufw allow|deny [service]
打开或关闭某个端口，例如：
sudo ufw allow smtp　允许所有的外部IP访问本机的25/tcp (smtp)端口

sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 172.16.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则
UFW 使用范例
UFW 使用范例：
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口

$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254
$ sudo ufw allow ssh

$ sudo ufw allow www
$ sudo ufw allow smtp
neo@master:~$ sudo ufw allow ssh

Rule added
5. Status
sudo ufw status
neo@master:~$ sudo ufw allow www

Rule added
neo@master:~$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
25:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
6. Rule Delete
sudo ufw delete allow|deny RULE


Firewall loaded
To Action From
-- ------ ----
neo@master:~$ sudo ufw delete allow smtp

Rule deleted
Firewall loaded
To Action From
-- ------ ----
7. logging
sudo ufw logging on|off
neo@master:~$ sudo ufw logging ON

Logging enabled
8. iptales
neo@master:~$ sudo iptables -L

Chain INPUT (policy DROP)
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
Chain FORWARD (policy DROP)

ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)

ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)

LOG all -- anywhere anywhere limit: avg 3/min
burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '

RETURN all -- anywhere anywhere
Chain ufw-after-input (1 references)

RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
Chain ufw-after-output (1 references)

Chain ufw-before-forward (1 references)

ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)

ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps
dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
ufw-user-input all -- anywhere anywhere
Chain ufw-before-output (1 references)

ACCEPT tcp -- anywhere anywhere state NEW,
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,
RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-not-local (1 references)

RETURN all -- anywhere anywhere ADDRTYPE match dst-
type LOCAL

type MULTICAST
type BROADCAST
burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere
Chain ufw-user-forward (1 references)

Chain ufw-user-input (1 references)

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
Chain ufw-user-output (1 references)

/etc/default/ufw
$ sudo vim /etc/default/ufw

# /etc/default/ufw
#
# set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no
# set the default input policy to ACCEPT, DROP or REJECT. Please note that if
# you change this you will most likely want to adjust your rules
DEFAULT_INPUT_POLICY="DROP"
# set the default output policy to ACCEPT, DROP, or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_OUTPUT_POLICY="ACCEPT"
# set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"
# set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break

# non-ufw managed firewall rules

MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# extra connection tracking modules to load

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"
ip_forward
$ sudo vim /etc/ufw/sysctl.conf

net/ipv4/ip_forward=1
DHCP
neo@netkiller:~$ sudo ufw allow 67/udp

Rules updated
Rules updated
Samba
neo@netkiller:~$ sudo ufw allow 137/tcp

Rule added
neo@netkiller:~$ sudo ufw allow 445/tcp
Rule added
Rule added
Rule added

ulogd - The Netfilter Userspace Logging Daemon 起始页 Firewall GUI Tools

Firewall GUI Tools
Firewall GUI Tools

Firewall GUI Tools

KMyFirewall
Firestarter
Firewall Builder

ufw - program for managing a 起始页 Shorewall Tools
netfilter firewall
Shorewall Tools
Shorewall Tools
Shorewall Tools
Shorewall Tools
netkiller@shenzhen:~$ apt-cache search Shorewall

shorewall - Shoreline Firewall (Shorewall), a high-level tool for configuring
Netfilter
shorewall-doc - documentation for Shorewall firewall
shorewall-lite - Shorewall (lite version), a high-level tool for configuring
Netfilter
netkiller@shenzhen:~$
install
sudo apt-get install shorewall
copy config file to /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/modules /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/nat /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/maclist /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall/

sudo cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/hosts /etc/shorewall/
sudo cp /usr/share/doc/shorewall/default-config/masq /etc/shorewall/
过程 18.1. configure
1. interfaces
your net cards: eth0 and eth1, ppp0 is pppoe virtual net adapter
$ sudo vim /etc/shorewall/interfaces
net ppp0 detect dhcp,routefilter,norfc1918,tcpflags

loc eth0 detect tcpflags

Shorewall Tools
loc eth1 detect tcpflags
2. zones
network alias
$ sudo vim /etc/shorewall/zones
net Net Internet

loc Local Local Networks
3. masq
配置IP伪装
ppp0 eth0
4. rules
#
# 允许 DNS 从防火墙连接到 Internet
#
AllowDNS fw net
#
# 允许本地网络可以使用 SSH 来管理服务器
#
AllowSSH loc fw
#
# 允许 Ping 到防火墙和允许防火墙 Ping 其它网络
#
AllowPing loc fw
AllowPing net fw
AllowPing fw loc
AllowPing fw net
#
# 允许 Internet 访问防火墙上的 WEB 服务
#
AllowWeb net fw
#
# 允许 Internet 访问防火墙上的 FTP 服务
#
AllowFTP net fw
#
# 允许 Internet 访问防火墙上的邮件服务
#
AllowSMTP net fw

Shorewall Tools
AllowIMAP net fw
#
# 允许本地网络可以访问 Internet
#
AllowWeb loc net
#
# 允许本地网络可以收发邮件
#
AllowSMTP loc net
AllowIMAP loc net
AllowPOP3 loc net
#
# 允许本地网络使用 FTP 到 Internet
#
AllowFTP loc net
#
# 允许本地网络从 Internet 查询 DNS
#
AllowDNS loc net
#
# 允许本地网络使用 NSM
#
ACCEPT loc net tcp 1863
ACCEPT loc net tcp 443
ACCEPT loc net:gateway.messenger.hotmail.com all
#
# 将WEB访问重新定向到 3128 ,通过squid完成访问 ,访问服务器地址 192.168.0.1 除外。
#
#REDIRECT loc 3128 tcp www - !192.168.0.1
5. 修改 shorewall.conf
自动开启 IP 转发
查找 IP_FORWARDING=Keep 改为On
IP_FORWARDING=On
6. 修改 /etc/default/shorewall 自动运行防火墙
sudo vim /etc/default/shorewall
startup=0
改为
startup=1

Shorewall Tools
7. 启动防火墙
sudo shorewall start

Firewall GUI Tools 起始页 Endian Firewall

Endian Firewall
Endian Firewall
Endian Firewall
http://www.endian.com/

Shorewall Tools 起始页 Smooth Firewall
Smooth Firewall
Smooth Firewall
Smooth Firewall

Endian Firewall 第 19 章 OpenVPN (openvpn -
起始页
Virtual Private Network daemon)
第 19 章 OpenVPN (openvpn - Virtual Private Network daemon)


目录
Openvpn Server
Openvpn Client
Windows Server
Windows Client
point-to-point VPNs
源码安装
vpn 案例
http://openvpn.net/
Openvpn Server
Ubuntu/Debian 环境安装
过程 19.1. Openvpn Server 安装步骤
1. 相关软件包
netkiller@shenzhen:~$ apt-cache search openvpn

carpaltunnel - Configuration helper for OpenVPN

kvpnc - vpn clients frontend for KDE
network-manager-openvpn - network management framework (OpenVPN plugin)
openvpn - Virtual Private Network daemon
tunneldigger - Configures OpenVPN tunnel networks
tunneldigger-utils - Utilities for TunnelDigger-configured OpenVPN tunnels
You have new mail in /var/mail/netkiller
This is for Dapper ubuntu and openvpn
netkiller@shenzhen:~$ sudo apt-get install openvpn
● config file
/etc/openvpn/
● share
/usr/share/openvpn/
● doc
/usr/share/doc/openvpn/
● example
/usr/share/doc/openvpn/examples/
2. CREATE KEYS FOR THE SERVER AND THE CLIENTS
Change to the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0
netkiller@shenzhen:~$ cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ls
build-ca build-dh build-inter build-key build-key-pass build-key-pkcs12
build-key-server build-req build-req-pass clean-all inherit-inter list-
crl Makefile openssl-0.9.6.cnf.gz openssl.cnf pkitool README.gz revoke-
full sign-req vars whichopensslcnf
backup vars to vars.original
sudo cp vars vars.original
vi vars and change with you
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="Shenzhen"
export KEY_ORG="http://netkiller.8800.org"
export KEY_EMAIL="openunix@163.com"
type the commands

● vars
● clean-all
● build-ca
● build-key-server server
● build-key client1
● build-dh
a. vars and clean-all
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/
openvpn/examples/easy-rsa/2.0/keys
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ./clean-all
$ sudo mkdir keys

$ sudo chown neo.neo keys
b. build-ca
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ./build-ca
..........................++++++
.............++++++
writing new private key to 'ca.key'
-----
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [http://netkiller.8800.org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [http://netkiller.8800.org CA]:
Email Address [openunix@163.com]:
c. build-key-server server
You will have to answer the same questions above. It will ask you for a password, I suggest you don’t put
a password when it ask.
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ./build-key-
server server
...................................++++++
...........................................++++++
writing new private key to 'server.key'
-----
-----


Common Name (eg, your name or your server's hostname) [server]:
Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'Shenzhen'
organizationName :PRINTABLE:'http://netkiller.8800.org'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'openunix@163.com'
Certificate is to be certified until Nov 10 18:09:52 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
enter yes to sign the certificate.

d. build-key client1
Now to build the client files
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ./build-key client1

.++++++
...........++++++
writing new private key to 'client1.key'
-----
-----
Common Name (eg, your name or your server's hostname) [client1]:

A challenge password []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf


Signature ok
organizationName :PRINTABLE:'http://netkiller.8800.org'
commonName :PRINTABLE:'client1'
Certificate is to be certified until Nov 10 18:15:39 2017 GMT (3650 days)

Data Base Updated
And once again you will need to answer the questions above. I still don’t recommend you putting a password as
it can cause problems when I have tried.
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
e. build-dh
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........+................................................
+..............+...........+.
+.................................................
+...............
+............................................
+.................................................................................................
+.....................................................................
+..................+....................
+.......+......................................
+....................................+....+..
+...................................
+............................................................+...+..+..........
+.....+..................+.........+.........+....
+..........+...........................................................+..
+..+......................................................................+......
+..+.....................
+......................
+.............................................................................
+.......................................+................
+.........................
+.............................................
+.....................
+.......................................................................................
+..................................................................
+.......................................................................................................................................
+....+.................
+....................................................
+.................................................+.
+.........................
+............................................+..............
+.........+........................+.......
+...................................
+.....................+..............................+..............
+.....+...................+..........................................
+.........
+............................................................
+.....................................................................................................................................
+......................................................................................................................................................
+............................+....
+.......
+...........................................................................................................................................
+.................................................................................
+..............................................................................................
+...............................+.............................................
+......+...............................................
+............
+...............................................................+........
+......
+.............................................................................................................
+........................+..
+............
+.............................................
+............................
+...................
+...........................................................
+............................................................
+.................................................................................................................................................
++*++*++*
All the files you just generated are located in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
If you do a list command in the keys folder you should have something like:
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ ls keys/
01.pem ca.crt client1.crt client1.key index.txt index.txt.attr.
old serial server.crt server.key
02.pem ca.key client1.csr dh1024.pem index.txt.attr index.txt.old
serial.old server.csr
Copy the files ca.crt, ca.key, dh1024.pem, server.crt, and server.key to the /etc/openvpn/keys
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ cd keys/
netkiller@shenzhen:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys$ sudo cp
keys/ca.key keys/ca.crt keys/dh1024.pem keys/server.key keys/server.crt /etc/openvpn/
We will worry about the client files after we configure the client config file.
3. CONFIGURE THE SERVER
Change to the directory /usr/share/doc/openvpn/examples/sample-config-files
netkiller@shenzhen:/usr/share/doc/openvpn/examples/sample-config-files$ sudo
gunzip server.conf.gz
netkiller@shenzhen:/usr/share/doc/openvpn/examples/sample-config-files$ sudo
cp server.conf /etc/openvpn/
netkiller@shenzhen:/usr/share/doc/openvpn/examples/sample-config-files$ cd /
etc/openvpn/
netkiller@shenzhen:/etc/openvpn$

为用户添加路由
push "route 192.168.1.0 255.255.255.0"
例 19.1. server.conf
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN

# listen on? (optional)
;local a.b.c.d
;local 192.168.1.7
# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?

;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap

dev tun
# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.

# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address

# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it

# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
# To assign specific IP addresses to specific

# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:

# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different

# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure

# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in

# order for this to work properly).

# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings

# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# Uncomment this directive to allow different

# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients

# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like

# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.

# This config item must be copied to
# the client config file as well.

;cipher BF-CBC # Blowfish (default)

;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.

# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected

# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup
# The persist options will try to avoid

# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing

# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log

# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20

# sequential messages of the same message
# category will be output to the log.
;mute 20
test

netkiller@shenzhen:/etc/openvpn$ sudo openvpn --config /etc/openvpn/server.conf

Tue Nov 13 14:12:33 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL]
built on Mar 2 2007
Tue Nov 13 14:12:33 2007 Diffie-Hellman initialized with 1024 bit key
Tue Nov 13 14:12:33 2007 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 13 14:12:33 2007 TUN/TAP device tun0 opened
Tue Nov 13 14:12:33 2007 ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Nov 13 14:12:33 2007 route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Nov 13 14:12:33 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Tue Nov 13 14:12:33 2007 UDPv4 link local (bound): [undef]:1194
Tue Nov 13 14:12:33 2007 UDPv4 link remote: [undef]
Tue Nov 13 14:12:33 2007 MULTI: multi_init called, r=256 v=256
Tue Nov 13 14:12:33 2007 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Nov 13 14:12:33 2007 IFCONFIG POOL LIST
Tue Nov 13 14:12:33 2007 Initialization Sequence Completed
4. Start
netkiller@shenzhen:~$ sudo /etc/init.d/openvpn start

Starting virtual private network daemon: server(OK).

Smooth Firewall 起始页 Openvpn Client

Openvpn Client
Openvpn Client
第 19 章 OpenVPN (openvpn - Virtual Private
上一页下一页
Network daemon)
Openvpn Client
$ cd /usr/share/doc/openvpn/examples/easy-
rsa/2.0
$ cp keys/ca.crt keys/client1.crt keys/client1.key /etc/
openvpn/
过程 19.2. Openvpn Client 安装步骤
● CONFIGURE THE CLIENTS
修改 remote my-server-1 1194
例 19.2. client.conf
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we

# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on

Openvpn Client
# the server.
;dev tap
dev tun

# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or

# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.

# You can have multiple remote entries
# to load balance between the servers.
remote vpn.netkiller.8800.org 1194
;remote my-server-2 1194
# Choose a random host from the remote

# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the

# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to

# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)

;user nobody

Openvpn Client
;group nogroup
# Try to preserve some state across restarts.

persist-key
persist-tun
# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot

# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
# Verify server certificate by checking

# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

Openvpn Client
# If a tls-auth key is used on the server

# then every client must also have the key.
;tls-auth ta.key 1

# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.

verb 3
# Silence repeating messages

;mute 20

第 19 章 OpenVPN (openvpn - OpenVPN GUI for Windows
起始页
Virtual Private Network daemon)


上一页第 19 章 OpenVPN (openvpn - Virtual Private Network daemon) 下一页
Windows Server
过程 19.3. For Windows Server
1. http://openvpn.se/
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
下载安装后,会在系统托盘上显示图标.这时并不能使用,使用创建配置文件后托盘图标才会显示连接菜单
2. 创建证书
C:\Documents and Settings\Neo>cd "\Program Files\OpenVPN\easy-rsa"

C:\Program Files\OpenVPN\easy-rsa>
C:\Program Files\OpenVPN\easy-rsa>init-config.bat
编辑vars.bat
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=Shenzhen
set KEY_ORG=netkiller.org.cn
set KEY_EMAIL=openunix@163.com
C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
C:\Program Files\OpenVPN\easy-rsa>vars.bat
创建CA证书
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
......++++++
......++++++
writing new private key to 'keys\ca.key'
-----

-----
Organization Name (eg, company) [netkiller.org.cn]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server's hostname) []:netkiller.org.cn
dh
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................+...................+.................................
.................................+...........+.....................+.......+....
...............................................................+..+.............
.+.......................................+......................................
...+..+...........+................................+............................
................................................+.....+.........................
................................................+.....+......+..................
....................................+...........................................
.........................................................................+.....+
.......................................+.....................+..................
....+...........................................................................
......................+............................+............................
................................................................................
................................................................................
............................+.................+......................+......+...
.............+...................+..............................................
.................+............................................+.................
................................................................................
................................+....+.................+........................
...................+.......+....................................................
..+...............+.............................................................
................................................................................
...............................................................+................
.......+.........................................................++*++*++*

server key
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server

........++++++
....................++++++
writing new private key to 'keys\server.key'
-----
-----

A challenge password []:chen
Using configuration from openssl.cnf
Signature ok
organizationName :PRINTABLE:'netkiller.org.cn'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'netkiller.org.cn'
Certificate is to be certified until Jun 9 03:14:55 2017 GMT (3650 days)

Data Base Updated

client key
C:\Program Files\OpenVPN\easy-rsa>build-key.bat client

......++++++
....................++++++
writing new private key to 'keys\client.key'
-----
-----
Email Address [openunix@163.com ]:

A challenge password []:chen
Using configuration from openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Signature ok
organizationName :PRINTABLE:'netkiller.org.cn'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'netkiller.org.cn'
emailAddress :IA5STRING:'openunix@163.comÎ'
Certificate is to be certified until Jun 9 03:17:55 2017 GMT (3650 days)
failed to update database
TXT_DB error number 2
3. 配置

例 19.3. server.ovpn
#################################################
# #
# #
# #
# #
#################################################

;local a.b.c.d

port 1194

;proto tcp
proto udp


;dev tap
dev tun

;dev-node MyTap

#
#
ca ca.crt
cert server.crt

# 2048 bit keys.
dh dh1024.pem

server 10.8.0.0 255.255.255.0




;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# address pool (10.8.0.0/255.255.255.0)
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"


# machine, such as 192.168.40.128/255.255.255.248.
;route 192.168.40.128 255.255.255.248
# iroute 192.168.40.128 255.255.255.248

;route 10.9.0.0 255.255.255.252
# ifconfig-push 10.9.0.1 10.9.0.2




# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.

;push "dhcp-option WINS 10.8.0.1"

;client-to-client

# pair.
#
;duplicate-cn



keepalive 10 120

#
# Generate with:
#


comp-lzo

;max-clients 100

#
;user nobody
;group nobody

persist-key
persist-tun




;log openvpn.log
;log-append openvpn.log

# file verbosity.
#
verb 3

;mute 20
Windows Client
过程 19.4. For Windows Client
1. 配置文件
将C:\Program Files\OpenVPN\sample-config目录下的client.ovpn复制到C:\Program Files\OpenVPN\config
ca.crt, client.crt, client.key 三个文件复制到 C:\Program Files\OpenVPN\config
修改;remote my-server-1 1194
remote vpn.netkiller.8800.org 1194
编辑client.ovpn文件
例 19.4. client.ovpn
##############################################
# #

# #
##############################################

# from the server.
client

# the server.
;dev tap
dev tun

;dev-node MyTap

# on the server.
;proto tcp
proto udp

remote netkiller.8800.org 1194

;remote-random


nobind

;user nobody
;group nobody


persist-key
persist-tun

# authentication.

# SSL/TLS parms.
ca ca.crt
cert client1.crt
key client1.key

#

;tls-auth ta.key 1

;cipher x

comp-lzo


verb 3

;mute 20
2. 连接到VPN服务器
托盘图标上->右键->选择 [Connect] 菜单

Openvpn Client 起始页 point-to-point VPNs

point-to-point VPNs
point-to-point VPNs
第 19 章 OpenVPN (openvpn - Virtual Private Network
上一页下一页
daemon)
point-to-point VPNs
过程 19.5. This example demonstrates a bare-bones point-to-point OpenVPN configuration.
1. Generate a static key
$ cd /etc/openvpn/
$ sudo openvpn --genkey --secret static.key
2. server configuration file
$ cd /usr/share/doc/openvpn/examples/sample-config-files
$ sudo cp static-office.conf office.up /etc/openvpn/
static-office.conf
$ sudo vim static-office.conf
3. client configuration file
$ cd /usr/share/doc/openvpn/examples/sample-config-files
$ sudo cp static-home.conf home.up /etc/openvpn/
$ cd /etc/openvpn/
$ scp user@netkiller.8800.org:/etc/openvpn/static.key .
static-home.conf
remote netkiller.8800.org
copy C:\Program Files\OpenVPN\sample-config\sample.ovpn C:\Program Files\OpenVPN

point-to-point VPNs
\config

OpenVPN GUI for Windows 起始页源码安装

源码安装
源码安装
上一页第 19 章 OpenVPN (openvpn - Virtual Private Network daemon) 下一页
源码安装
过程 19.6. OpenVPN 编译安装步骤
1. 安装liblzo,libssl支持库
netkiller@neo:~$ sudo apt-get install liblzo-dev

netkiller@neo:~$ sudo apt-get install libssl-dev
2. 取得安装包
netkiller@neo:/usr/local$ sudo chmod 777 /usr/local/src/

netkiller@neo:~$ cd /usr/local/src/
netkiller@neo:/usr/local/src$ wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
netkiller@neo:/usr/local/src$ tar zxvf openvpn-2.0.9.tar.gz
netkiller@neo:/usr/local/src$ cd openvpn-2.0.9/
netkiller@neo:/usr/local/src/openvpn-2.0.9$
3. 编译安装
netkiller@neo:/usr/local/src/openvpn-2.0.9$ ./configure --prefix=/usr/local/

openvpn-2.0.9 --enable-pthread
netkiller@neo:/usr/local/src/openvpn-2.0.9$ make
netkiller@neo:/usr/local/src/openvpn-2.0.9$ sudo make install
4. 配置文件
netkiller@neo:/usr/local/src/openvpn-2.0.9$ sudo ln -s /usr/local/openvpn-

2.0.9/ /usr/local/openvpn
netkiller@neo:/usr/local/src/openvpn-2.0.9$ cd /usr/local/openvpn
netkiller@neo:/usr/local/openvpn$ sudo mkdir etc
netkiller@neo:/usr/local/openvpn$ sudo mkdir log
netkiller@neo:/usr/local/openvpn$ sudo vi etc/openvpn.conf
例 19.5. openvpn.conf
sudo cp ca.crt dh1024.pem server.crt server.key /usr/local/openvpn/etc/

源码安装
5. 创建证书
修改vars文件的环境变量
netkiller@neo:/usr/share/openvpn$ sudo vi vars

export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=Shenzhen
export KEY_ORG=netkiller.org.cn
export KEY_EMAIL=openunix@163.com
netkiller@neo:/usr/local/openvpn$ cd /usr/share/openvpn/
netkiller@neo:/usr/share/openvpn$
netkiller@neo:~/openvpn-2.1_rc1/easy-rsa/2.0$ sudo make install DESTDIR=/usr/

share/openvpn
install -c --directory "/usr/share/openvpn/"
install -c --mode=0755 build-* "/usr/share/openvpn/"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-
req whichopensslcnf "/usr/share/openvpn/"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "/usr/
share/openvpn/"
netkiller@neo:~/openvpn-2.1_rc1/easy-rsa/2.0$
netkiller@neo:/usr/share/openvpn$ sudo chmod +x vars

netkiller@neo:/usr/share/openvpn$
netkiller@neo:/usr/share/openvpn$ sudo ./clean-all
netkiller@neo:/usr/share/openvpn$ sudo ./build-ca

netkiller@neo:/usr/share/openvpn$ sudo ./build-key-server server
netkiller@neo:/usr/share/openvpn$ sudo ./build-key client1
netkiller@neo:/usr/share/openvpn$ sudo mkdir /etc/openvpn

netkiller@neo:/usr/share/openvpn$ cd /etc/openvpn/
netkiller@neo:/etc/openvpn$ sudo vi server.ovpn
netkiller@neo:/etc/openvpn$ sudo cp /usr/share/openvpn/keys/dh1024.pem .
netkiller@neo:/etc/openvpn$ sudo cp /usr/share/openvpn/keys/server.crt .
netkiller@neo:/etc/openvpn$ sudo cp /usr/share/openvpn/keys/server.key .
netkiller@neo:/etc/openvpn$ sudo cp /usr/share/openvpn/keys/ca.crt .
root@neo:/home/netkiller/openvpn-2.1_rc1/sample-config-files# cp * /etc/openvpn/
root@neo:/home/netkiller/openvpn-2.1_rc1/sample-config-files# cd /etc/openvpn/
6. 启动
/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/openvpn.conf
7. Script
/etc/init.d/openvpn

源码安装
#!/bin/bash
# vpn init file for OpenVPN
#
# chkconfig: - 100 100
# description: OpenVPN is a full-featured SSL VPN solution which can accomodate
a wide range of configurations,
# including remote access, site-to-site VPNs,
WiFi security,
# and enterprise-scale remote access solutions
with load balancing, failover,
# and fine-grained access-controls
# as it is designed and optimized for high
performance environments.
# author: Neo Chen<openunix@163.com>
#
# processname: $PROG
# config:
# pidfile: /var/run/openvpn
# source function library

. /etc/init.d/functions
PREFIX=/usr/local/openvpn
PROG=$PREFIX/sbin/openvpn
OPTIONS="-f /usr/local/openvpn/etc/openvpn.conf"
USER=daemon
RETVAL=0
prog="openvpn"
start() {
echo -n $"Starting $prog: "
if [ $UID -ne 0 ]; then
RETVAL=1
failure
else
daemon --user=$USER $PROG $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/openvpn
fi;
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
RETVAL=1
failure
else
killproc $PROG
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/openvpn
fi;
echo
return $RETVAL
}

源码安装
reload(){
echo -n $"Reloading $prog: "
killproc $PROG -HUP
RETVAL=$?
echo
return $RETVAL
}
restart(){
stop
start
}
condrestart(){
[ -e /var/lock/subsys/openvpn ] && restart
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
condrestart
;;
status)
status openvpn
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
RETVAL=1
esac
exit $RETVAL
添加x权限
sudo chmod +x /etc/init.d/openvpn

源码安装
point-to-point VPNs 起始页 vpn 案例

vpn 案例
vpn 案例
第 19 章 OpenVPN (openvpn - Virtual Private
上一页下一页
Network daemon)
vpn 案例
office (linux) home (xp)

-------------- ----------
172.16.0.1 eth0 192.168.0.1
^ ^
| |
10.8.0.1 tun0 --> 10.8.0.2 <---> 10.8.0.5 <-- 10.8.0.6
testing home - > office

----------------------------------------------------------
ping 10.8.0.1 OK
ping 172.16.0.1 OK
ping 172.16.0.254 OK
例 19.6. office.conf
office
$ sudo sysctl -w net.ipv4.ip_forward=1

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#################################################

vpn 案例
# #
# #
# #
# #
#################################################

;local a.b.c.d

port 1194

;proto tcp
proto udp


vpn 案例

;dev tap
dev tun

;dev-node MyTap

#
#
ca ca.crt
cert server.crt

# 2048 bit keys.
dh dh1024.pem

vpn 案例

server 10.8.0.0 255.255.255.0


;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging

# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge


vpn 案例

# address pool (10.8.0.0/255.255.255.0)
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 172.16.0.0 255.255.255.0"


# machine, such as 192.168.40.128/255.255.255.248.
;route 192.168.40.128 255.255.255.248
# iroute 192.168.40.128 255.255.255.248

;route 10.9.0.0 255.255.255.252
route 192.168.102.0 255.255.255.0
# ifconfig-push 10.9.0.1 10.9.0.2


vpn 案例


# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# The addresses below refer to the public
# DNS servers provided by opendns.com.

client-to-client

# pair.
#

vpn 案例

;duplicate-cn

keepalive 10 120

#
# Generate with:
#


comp-lzo

;max-clients 100


vpn 案例
#
;user nobody
;group nogroup

persist-key
persist-tun


log openvpn.log
log-append openvpn.log

# file verbosity.
#
verb 3

;mute 20

vpn 案例
例 19.7. home.ovpn
##############################################
# #
# #
##############################################

# from the server.
client

# the server.
;dev tap
dev tun

;dev-node MyTap

# on the server.
;proto tcp
proto udp

vpn 案例

remote netkiller.8800.org 1194

;remote-random


nobind

;user nobody
;group nobody

persist-key
persist-tun

# authentication.


vpn 案例
# SSL/TLS parms.
ca ca.crt
cert client.crt
key client.key

#

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3

;mute 20

vpn 案例

源码安装起始页第 20 章 pptpd

第 20 章 pptpd
第 20 章 pptpd
第 20 章 pptpd
过程 20.1. pptpd 安装步骤
1. install
$ sudo apt-get install pptpd
2. $ sudo vim /etc/pptpd.conf
localip 172.16.0.1
remoteip 172.16.0.50-100
3. $ sudo vim /etc/ppp/pptpd-options
ms-dns 208.67.222.222
ms-dns 208.67.220.220
4. $ sudo vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP

# client server secret IP addresses
neo pptpd chen *
5. restart
sudo /etc/init.d/pptpd restart

Restarting PPTP:
Stopping PPTP: pptpd.
Starting PPTP Daemon: pptpd.
6. $ sudo vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

第 20 章 pptpd
refresh status
$ sudo sysctl -p
7. NAT
$ sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

$ sudo iptables-save > /etc/iptables-rules
$ sudo vim /etc/network/interfaces
pre-up iptables-restore < /etc/iptables-rules
8. firewall
$ sudo ufw allow 1723

Rules updated
MTU
$ sudo iptables -A FORWARD -s 10.100.0.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN -j

TCPMSS --set-mss 1200
还有一个最简单的修改mtu的办法：
$ sudo vim /etc/ppp/ip-up.local
!/bin/bash
/sbin/ifconfig $1 mtu 1496

vpn 案例起始页第 21 章 Ipsec VPN

第 21 章 Ipsec VPN
目录


http://www.openswan.org/

第 20 章 pptpd 起始页 strongswan - IPSec utilities for
strongSwan

上一页第 21 章 Ipsec VPN 下一页

http://www.strongswan.org/

第 21 章 Ipsec VPN 起始页 ipsec-tools - IPsec tools for Linux

上一页第 21 章 Ipsec VPN 下一页

https://trac.ipsec-tools.net/

strongswan - IPSec utilities for 第 22 章 Stunnel - universal SSL
起始页
strongSwan tunnel
第 22 章 Stunnel - universal SSL tunnel


Homepage: http://www.stunnel.org/
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure
Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL
aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
encryption, requiring no changes to the daemon's code.
1. install
$ sudo apt-get install stunnel4
2. enable stunnel
$ vim /etc/default/stunnel4
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel

ENABLED=0
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts

PPP_RESTART=0
edit /etc/default/stunnel4 file and change ENABLED=0 to ENABLED=1 to enable Stunnel

3. config

$ sudo vim /etc/stunnel/stunnel.conf

[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
[https]
accept = 443
connect = 80
4. start
$ sudo /etc/init.d/stunnel4 start

ipsec-tools - IPsec tools for Linux 起始页部分 III. Web Application

部分 III. Web Application

上一页下一页

目录
23. Lighttpd and fastcgi

shell script
Module
simple-vhost
enable fastcgi
ssl
redirect
rewrite
alias.url
auth
compress module
mod_expire
status
fastcgi
PHP
Python
Perl
24. Nginx
25. LAMP
Install
XAMPP for Linux
Apache 调优
worker

Listen
VirtualHost
Module
Apache Status
Alias / AliasMatch
Rewrite
Proxy
deflate
mod_expires
Apache Log
Charset
PHP 5
Mod Perl
Error Prompt
Invalid command 'Order', perhaps misspelled or defined by a module not included
in the server configuration
Invalid command 'AuthUserFile', perhaps misspelled or defined by a module not
26. Tomcat 安装与配置
install java
install tomcat
Connector
mod_jk
mod_proxy_ajp
Testing file
Script 1
Shell Script 2
27. Resin
安装Resin
Debian/Ubuntu
源码安装Resin
28. Application Service
Zope


29. Search Engine
Solr
Embedded Jetty
Jetty
Tomcat
solr-php-client
multicore
中文分词
Nutch
30. Web Server Optimization
ulimit
open files
php.ini
Resource Limits
File Uploads
Session Shared
PATHINFO
Zend Optimizer
eaccelerator
Memcached
编译安装
debian/ubuntu
khttpd
31. Web Analysis
综合测试
awstats
webalizer
32. varnish - a state-of-the-art, high-performance HTTP accelerator
Varnish Install
status
varnishadm
清除缓存
log file
上一页下一页

第 22 章 Stunnel - universal SSL 第 23 章 Lighttpd and fastcgi

起始页
tunnel

第 23 章 Lighttpd and fastcgi

上一页部分 III. Web Application 下一页

目录

shell script
Module
simple-vhost
enable fastcgi
ssl
redirect
rewrite
alias.url
auth
compress module
mod_expire
status
fastcgi
PHP
Python
Perl

if you OS is Ubuntu/Debian
apt-get install lighttpd
netkiller@shenzhen:~$ sudo apt-get install lighttpd
the config file in /etc/lighttpd
netkiller@shenzhen:~/document/Docbook/Linux$ find /etc/lighttpd/

/etc/lighttpd/
/etc/lighttpd/lighttpd.conf
/etc/lighttpd/conf-enabled
/etc/lighttpd/conf-available
/etc/lighttpd/conf-available/10-userdir.conf
/etc/lighttpd/conf-available/10-fastcgi.conf
/etc/lighttpd/conf-available/10-cgi.conf
/etc/lighttpd/conf-available/README
/etc/lighttpd/conf-available/10-ssl.conf
/etc/lighttpd/conf-available/10-proxy.conf
/etc/lighttpd/conf-available/10-auth.conf
/etc/lighttpd/conf-available/10-simple-vhost.conf
/etc/lighttpd/conf-available/10-ssi.conf
Enabling and disabling modules could be done by provided e.g.
/usr/sbin/lighty-enable-mod fastcgi
/usr/sbin/lighty-disable-mod fastcgi
when you enabled a mod please force-reload it
netkiller@shenzhen:/etc/lighttpd$ sudo lighty-enable-mod fastcgi

Available modules: auth cgi fastcgi proxy simple-vhost ssi ssl userdir
Already enabled modules: userdir
Enabling fastcgi: ok
Run /etc/init.d/lighttpd force-reload to enable changes
netkiller@shenzhen:/etc/lighttpd$ sudo /etc/init.d/lighttpd force-reload
* Stopping web
server
lighttpd
[ OK ]
* Starting web server lighttpd

部分 III. Web Application 起始页 to compile and then install lighttpd

上一页第 23 章 Lighttpd and fastcgi 下一页

1. 下载相关软件
立即下载
$ sudo apt-get install libpcre3*
cd /usr/local/src/
wget http://www.lighttpd.net/download/lighttpd-1.4.15.tar.gz
tar zxvf lighttpd-1.4.15.tar.gz
cd lighttpd-1.4.15
2. 编译安装
./configure --prefix=/usr/local/lighttpd-1.4.15 \
--with-bzip2 \
--with-memcache
make
make install
3. 创建目录与配置文件
ln -s /usr/local/lighttpd-1.4.15/ /usr/local/lighttpd
mkdir -p /www/pages
mkdir /www/logs
mkdir /usr/local/lighttpd/htdocs
mkdir /usr/local/lighttpd/logs
mkdir /usr/local/lighttpd/etc
cp ./doc/lighttpd.conf /usr/local/lighttpd/etc/
cd /usr/local/lighttpd/
4. 配置lighttpd.conf
vi etc/lighttpd.conf
找到 server.modules
删除 mod_fastcgi 前的注释
跟据你的需求修改下面定义

server.document-root = "/usr/local/lighttpd/htdocs/"
server.errorlog = "/usr/local/lighttpd/logs/lighttpd.error.log"
accesslog.filename = "/usr/local/lighttpd/logs/access.log"
注释 $HTTP["url"]
#$HTTP["url"] =~ "\.pdf$" {
# server.range-requests = "disable"
#}
5. 运行lighttpd
/usr/local/lighttpd/sbin/lighttpd -f /usr/local/lighttpd/etc/lighttpd.conf
测试
curl http://ip/ 因为/www/pages/下没有HTML页面所以返回:
404 - Not Found
shell script
lighttpd script
例 23.1. /etc/init.d/lighttpd
#!/bin/bash
# lighttpd init file for web server
#
# description: Security, speed, compliance, and flexibility--all of these describe
LightTPD which is rapidly redefining efficiency of a webserver;
# as it is designed and optimized for high performance
environments.
#
# processname: $PROG
# config:
# pidfile: /var/run/lighttpd


PREFIX=/usr/local/lighttpd
PROG=$PREFIX/sbin/lighttpd
OPTIONS="-f /usr/local/lighttpd/etc/lighttpd.conf"
USER=daemon
RETVAL=0
prog="lighttpd"
start() {
RETVAL=1
failure
else
daemon --user=$USER $PROG $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/lighttpd
fi;
echo
return $RETVAL
}
stop() {
RETVAL=1
failure
else
killproc $PROG
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/lighttpd
fi;
echo
return $RETVAL
}
reload(){
killproc $PROG -HUP
RETVAL=$?
echo
return $RETVAL
}
restart(){
stop
start
}
condrestart(){
[ -e /var/lock/subsys/lighttpd ] && restart
return 0
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
condrestart
;;
status)
status lighttpd
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
RETVAL=1
esac
exit $RETVAL

第 23 章 Lighttpd and fastcgi 起始页 Module

Module
Module
Module
simple-vhost
$ sudo lighty-enable-mod simple-vhost
simple-vhost.default-host = "www.example.com"
create your virtual host directory
$ mkdir -p /var/www/www.example.com/html
create a test file
$ echo helloworld!!!> /var/www/www.example.com/html/index.html
enable fastcgi
enable fastcgi
$ sudo lighty-enable-mod fastcgi
ssl
启用 ssl 模块
$ sudo lighttpd-enable-mod ssl

[sudo] password for neo:
Available modules: auth cgi fastcgi proxy rrdtool simple-vhost ssi ssl status userdir
Already enabled modules: cgi fastcgi simple-vhost
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes
创建 ssl 证书

Module
$ sudo openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
$ sudo chmod 400 server.pem
redirect
url.redirect = ( "^/music/(.+)" => "http://www.example.org/

$1" )
rewrite
example 1
url.rewrite-once = ( "^/wiki/(.*)$" => "/wiki/awki.cgi/$1" )

$HTTP["url"] =~ "^/wiki" {
$HTTP["url"] !~ "^/wiki/awki.cgi/" {
url.access-deny = ("")
}
}
example 2
$HTTP["host"] =~ "^.*\.(6600.org)$" {
url.rewrite-once = ( "^/(.*)" => "/index.php/$1" )
}
example 3
$HTTP["host"] =~ "^.*\.(6600.org)$" {
url.rewrite = (
"^/(images|stylesheet).*" => "/$0",
"^/(.*)" => "/index.php/$1"
)
}
alias.url

Module
$HTTP["host"] =~ "^.*\.(6600.org)$" {
alias.url = (
"/images" => "/home/neo/workspace/Development/photography/application/
photography/images",
"/stylesheet" => "/home/neo/workspace/Development/photography/application/
photography/stylesheet"
)
}
auth
enable auth
$ sudo lighttpd-enable-mod auth
/etc/lighttpd/conf-enabled/05-auth.conf
$ sudo vim conf-enabled/05-auth.conf
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/.secret"
auth.require = ( "/tmp/" =>

(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=neo"
)
)
create a passwd file
$ sudo vim .secret

neo:chen
$ sudo chmod 400 .secret

$ sudo chown www-data /etc/lighttpd/.secret
$ sudo /etc/init.d/lighttpd reload
compress module

Module
创建cache目录
mkdir -p /tmp/lighttpd/cache/compress/
配置lighttpd.conf文件
找到server.modules列表,去掉"mod_compress"注释,再打开compress module的注释
#### compress module

compress.cache-dir = "/tmp/lighttpd/cache/compress/"
compress.filetype = ("text/plain", "text/html")
Compressing Dynamic Content¶
php.ini
zlib.output_compression = On
zlib.output_handler = On
最后使用telnet测试
telnet www.bg7nyt.cn 80
GET /index.html HTTP/1.0

Host: 10.10.100.183
Accept-Encoding: gzip,deflate
看到乱码输出,而非HTML,表示配置成功.
mod_expire
<access|modification> <number> <years|months|days|hours|minutes|seconds>
expire.url = ( "/images/" => "access 1 hours" )
Example to include all sub-directories:
$HTTP["url"] =~ "^/images/" {
expire.url = ( "" => "access 1 hours" )

Module
status
$ sudo lighty-enable-mod status

$ sudo /etc/init.d/lighttpd force-reload

to compile and then install lighttpd 起始页 fastcgi

fastcgi
fastcgi
fastcgi
PHP
php fastcgi
编译安装ＰＨＰ
1. 下载PHP
cd /usr/local/src/
wget http://cn2.php.net/get/php-5.2.3.tar.bz2/from/cn.php.net/mirror
tar jxvf php-5.2.3.tar.bz2
cd php-5.2.3
2. configure
./configure --prefix=/usr/local/php-5.2.3 \
--with-config-file-path=/usr/local/php-5.2.3/etc \
--enable-fastcgi \
--enable-force-cgi-redirect \
--with-curl \
--with-gd \
--with-ldap \
--with-snmp \
--enable-zip \
--enable-exif \
--with-pdo-mysql \
--with-pdo-pgsql \
make
make test
make install
其它有用的模块

fastcgi
--enable-pcntl
3. 符号连接
ln -s /usr/local/php-5.2.3 /usr/local/php
ln -s /usr/local/php/bin/php /usr/local/bin/php
4. php.ini
cp php.ini-dist /usr/local/php/etc/php.ini
5. env
PHP_FCGI_CHILDREN=384
6. 使用 php -v FastCGI 安装情况
php -v
显示(cgi-fcgi)表示正确
# cd /usr/local/php/
# bin/php -v
PHP 5.2.2 (cgi-fcgi) (built: May 25 2007 15:50:28)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
(cgi-fcgi)不能正常工作
PHP 5.2.2 (cli) (built: May 25 2007 15:50:28)

Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
使用 php -m 查看PHP Modules

fastcgi
# bin/php -m
[PHP Modules]
cgi-fcgi
ctype
date
dom
filter
gd
hash
iconv
json
ldap
libxml
mssql
pcre
PDO
pdo_mysql
pdo_sqlite
posix
Reflection
session
SimpleXML
snmp
SPL
SQLite
standard
tokenizer
xml
xmlreader
xmlwriter
zip
[Zend Modules]
apt-get install
$ sudo apt-get install php5 php5-cli php5-cgi
参考php安装
找到 fastcgi.server 去掉注释

fastcgi
bin-path 改为PHP程序安装目录
fastcgi.server = ( ".php" =>

( "localhost" =>
(
"socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/local/php/bin/php"
)
)
)
下面例子更复杂一些
1. /usr/local/lighttpd/etc/lighttpd.conf
include /usr/local/lighttpd/etc/php-fastcgi.conf
2. /usr/local/lighttpd/etc/php-fastcgi.conf
fastcgi.server = ( ".php" =>

( "localhost" =>
( "socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/local/php/bin/php",
"min-procs" => 1,
"max-procs" => 5,
"max-load-per-proc" => 4,
"idle-timeout" => 20
)
)
)
3. PHP FastCGI环境测试
echo "<?php phpinfo(); ?>" > /www/pages/index.php
curl http://127.0.0.1/index.php
Python

fastcgi
sudo apt-get install python

sudo apt-get install python-setuptools
Django
wget http://www.djangoproject.com/download/0.96/tarball/
tar zxvf Django-0.96.tar.gz
cd Django-0.96
python setup.py install
生成项目
django-admin.py startproject newtest
web server
cd newtest/
./manage.py runserver
helloworld.py
from django.http import HttpResponse
def index(request):
return HttpResponse("Hello, Django.")
urls.py
from django.conf.urls.defaults import *
urlpatterns = patterns('',
# Example:
# (r'^newtest/', include('newtest.foo.urls')),
(r'^$', 'newtest.helloworld.index'),
# Uncomment this for admin:

fastcgi
# (r'âdmin/', include('django.contrib.admin.urls')),
)
启动Web Server
# ./manage.py runserver
Validating models...
0 errors found.
Django version 0.96, using settings 'newtest.settings'

Development server is running at http://127.0.0.1:8000/
Quit the server with CTRL-BREAK.
curl http://127.0.0.1:8000/
Python Imaging Library
Debian/Ubuntu
sudo apt-get install libjpeg62-dev

sudo apt-get install python-imaging
采用源码安装
tar zxvf Imaging-1.1.6.tar.gz

cd Imaging-1.1.6/
sudo python setup.py install
decoder jpeg not available
首先确认jpeg库是否安装
find / -name jpeglib.h
然后修改头文件
Imaging-1.1.6/libImaging

fastcgi
修改Jpeg.h, #include "jpeglib.h" 改为
#include "/usr/include/jpeglib.h"
Perl
install fastcgi module
$ sudo apt-get install libfcgi-perl libfcgi-procmanager-perl
Installing lighttpd and FastCGI for Catalyst
The examples also use a virtual host regexp that matches either www.myapp.com or myapp.com
$HTTP["host"] =~ "^(www.)?mysite.com"
Starting the FastCGI server
MyApp/script/myapp_fastcgi.pl -l /tmp/myapp.socket -n 5 -d
lighttpd.conf
server.document-root = "/var/www/MyApp/root"
$ sudo vim /etc/lighttpd/conf-available/10-fastcgi.conf
fastcgi.server = (
"" => (
"MyApp" => (
"socket" => "/tmp/myapp.socket",
"check-local" => "disable"
)
)
)

fastcgi
restart lighttpd
neo@master:~$ sudo /etc/init.d/lighttpd restart

* Stopping web server lighttpd [ OK ]
* Starting web server lighttpd [ OK ]
Testing
http://127.0.0.1/
More advanced configuration
例 23.2. fastcgi.conf
fastcgi.server = (
"" => (
"MyApp" => (
"socket" => "/tmp/myapp.socket",
"check-local" => "disable",
"bin-path" => "/var/www/MyApp/script/myapp_fastcgi.pl",
"min-procs" => 2,
"max-procs" => 5,
"idle-timeout" => 20
)
)
)

Module 起始页第 24 章 Nginx

第 24 章 Nginx
第 24 章 Nginx
第 24 章 Nginx
目录

$ sudo apt-get install nginx
/etc/init.d/nginx start
config php fastcgi
sudo vim /etc/nginx/sites-available/default
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
Spawn-fcgi
We still need a script to start our fast cgi processes. We will extract one from Lighttpd. and then disable

第 24 章 Nginx
start script of lighttpd
$ sudo apt-get install lighttpd

$ sudo chmod -x /etc/init.d/lighttpd
$ sudo touch /usr/bin/php-fastcgi

$ sudo vim /usr/bin/php-fastcgi
#!/bin/sh
/usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -u www-data -f /usr/bin/php5-
cgi
fastcgi daemon
$ sudo touch /etc/init.d/nginx-fastcgi

$ sudo chmod +x /usr/bin/php-fastcgi
$ sudo vim /etc/init.d/nginx-fastcgi
This is also a new empty file, add the following and save:
#!/bin/bash
PHP_SCRIPT=/usr/bin/php-fastcgi
RETVAL=0
case "$1" in
start)
$PHP_SCRIPT
RETVAL=$?
;;
stop)
killall -9 php
RETVAL=$?
;;
restart)
killall -9 php
$PHP_SCRIPT
RETVAL=$?
;;
*)
echo "Usage: nginx-fastcgi {start|stop|restart}"
exit 1
;;
esac

第 24 章 Nginx
exit $RETVAL
We need to change some permissions to make this all work.

$ sudo chmod +x /etc/init.d/nginx-fastcgi
create a test file
sudo vim /var/www/nginx-default/index.php

<?php echo phpinfo(); ?>

fastcgi 起始页 installing by source

上一页第 24 章 Nginx 下一页
./configure --prefix=/usr/local/server/nginx --with-openssl=/usr/include \

--with-pcre=/usr/include/pcre/ --with-http_stub_status_module --without-
http_memcached_module \
--without-http_fastcgi_module --without-http_rewrite_module --without-
http_map_module \
--without-http_geo_module --without-http_autoindex_module

第 24 章 Nginx 起始页第 25 章 LAMP
第 25 章 LAMP
第 25 章 LAMP
第 25 章 LAMP
目录
Install
XAMPP for Linux
Apache 调优
worker
Listen
VirtualHost
Module
Apache Status
Alias / AliasMatch
Rewrite
Proxy
deflate
mod_expires
Apache Log
Charset
PHP 5
Mod Perl
Error Prompt
Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration
Invalid command 'AuthUserFile', perhaps misspelled or defined by a module not included in the server
configuration
Install
$ sudo apt-get install apache2$ sudo apt-get install apache2-mpm-worker
netkiller@Linux-server:~$ sudo apt-get install apache2

第 25 章 LAMP
command
enable module: a2enmod
enable site: a2ensite
rewrite module
$ sudo a2enmod rewrite
PHP module
$ sudo a2enmod php5
deflate module
root@neo:/etc/apache2# a2enmod deflate

Module deflate installed; run /etc/init.d/apache2 force-reload to enable.
root@neo:/etc/apache2# /etc/init.d/apache2 force-reload
* Forcing reload of apache 2.0 web
server... [ ok ]
root@neo:/etc/apache2#
ssl module
a2enmod ssl
a2ensite ssl
/etc/apache2/httpd.conf 加入
ServerName 220.201.35.11
安全模块
netkiller@Linux-server:~$ sudo apt-get install libapache2-mod-security
netkiller@Linux-server:/etc/apache2$ sudo vi ports.conf

netkiller@Linux-server:/etc/apache2$ cat ports.conf
Listen 80
Listen 443

第 25 章 LAMP
NameVirtualHost *
NameVirtualHost *:443
netkiller@Linux-server:/etc/apache2$ sudo apache2-ssl-certificate

or
netkiller@Linux-server:~$ apache2-ssl-certificate -days 365
netkiller@Linux-server:~$ a2enmod ssl

or
netkiller@Linux-server:/etc/apache2/mods-enabled$ sudo ln -s ../mods-available/ssl.
conf
netkiller@Linux-server:/etc/apache2/mods-enabled$ sudo ln -s ../mods-available/ssl.
load
netkiller@Linux-server:/etc/apache2/sites-enabled$ sudo mkdir ssl/

netkiller@Linux-server:/etc/apache2/sites-enabled$ sudo cp netkiller woodart ssl/
netkiller@Linux-server:/etc/apache2/mods-enabled$ sudo /etc/init.d/apache2 reload

* Reloading apache 2.0 configuration...
[ ok ]
netkiller@Linux-server:/etc/apache2/mods-enabled$
VirtualHost
VirtualHost 虚拟主机
netkiller@Linux-server:/etc/apache2/sites-available$ sudo vi woodart
#NameVirtualHost neo.6600.org
<VirtualHost 220.201.35.11>
ServerAdmin openx@163.com
DocumentRoot /home/netkiller/www
ServerName neo.6600.org
ServerAlias www.neo.6600.org
<Directory /home/netkiller/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
# Uncomment this directive is you want to see apache2's
# default start page (in /apache2-default) when you go to /
#RedirectMatch ^/$ /apache2-default/
</Directory>
# ScriptAlias /cgi-bin/ /home/netkiller/www/

第 25 章 LAMP
# <Directory "/home/netkiller/www">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
# </Directory>
ErrorLog /var/log/apache2/neo.error.log
# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.
# LogLevel warn
CustomLog /var/log/apache2/neo.access.log combined

# ServerSignature On
</VirtualHost>
netkiller@Linux-server:/etc/apache2/sites-available$ sudo apache2 -k restart
~userdir module - /public_html
~web环境
netkiller@Linux-server:~$ mkdir public_html

netkiller@Linux-server:~$ cd public_html/
netkiller@Linux-server:~/public_html$
netkiller@Linux-server:~/public_html$ echo helloworld>index.html
netkiller@Linux-server:~/public_html$ ls
index.html
http://xxx.xxx.xxx.xxx/~netkiller/
XAMPP for Linux
http://www.apachefriends.org/en/xampp-linux.html
Apache 安装与配置
configure
--with-mpm=worker 进程,线程混合方式效率提高不少
--enable-modules='dir mime' 没有它就找不到index.*文件

第 25 章 LAMP
--enable-rewrite=shared Rewrite用于表态化
--enable-expires=shared 禁止页面被 cache
--enable-authz_host=shared Order权限
--enable-setenvif=shared
--enable-log_config=shared 日志格式
--enable-speling=shared 允许自动修正拼错的URL
--enable-deflate=shared 压缩传送
--enable-mods-shared='cache file-cache disk-cache mem-cache proxy proxy-ajp proxy-balancer' 代理和缓存
tar zxvf httpd-2.2.4.tar.gz

cd httpd-2.2.4
./configure --prefix=/usr/local/httpd-2.2.4 \
--with-mpm=worker \
--enable-modules='dir mime' \
--enable-rewrite=shared \
--enable-authz_host=shared \
--enable-alias=shared \
--enable-setenvif=shared \
--enable-log_config=shared \
--enable-speling=shared \
--enable-filter=shared \
--enable-deflate=shared \
--enable-headers=shared \
--enable-expires=shared \
--enable-mods-shared='cache file-cache disk-cache mem-cache proxy proxy-ajp proxy-
balancer' \
--disable-include \
--disable-actions \
--disable-alias \
--disable-asis \
--disable-autoindex \
--disable-auth_basic \
--disable-authn_file \
--disable-authn_default \
--disable-authz_groupfile \
--disable-authz_user \
--disable-authz_default \
--disable-cgi \
--disable-cgid \
--disable-env \
--disable-negotiation \
--disable-status \
--disable-userdir

第 25 章 LAMP
make; make install
启动
ln -s /usr/local/httpd-2.2.4/ /usr/local/apache
bin/apachectl start
cronolog
cronolog
cd /usr/local/src/
wget http://cronolog.org/download/cronolog-1.6.2.tar.gz
tar zxvf cronolog-1.6.2.tar.gz
cd cronolog-1.6.2
./configure --prefix=/usr/local/cronolog
make
make install
CustomLog "|/usr/local/cronolog/sbin/cronolog /opt/apache/logs/access_log.%Y%m%d" combined
PHP
过程 25.1. 安装PHP
1. 第一步
cd /usr/local/src
wget http://cn2.php.net/get/php-5.3.0.tar.bz2/from/cn.php.net/mirror
tar jxvf php-5.3.0.tar.bz2
cd php-5.3.0
2. 第二步
./configure --prefix=/usr/local/php-5.3.0 \
--with-config-file-path=/usr/local/php-5.3.0/etc \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-curl \
--with-gd \
--with-ldap \
--with-snmp \
--enable-zip \

第 25 章 LAMP
--enable-exif \
--with-libxml-dir \
--with-mysql \
--with-mysqli \
--with-pdo-mysql \
--with-pdo-pgsql
make
make test
make install
a. 建立符号连接
ln -s /usr/local/php-5.3.0 /usr/local/php
b. php.ini
cp php.ini-dist /usr/local/php/etc/php.ini
c. conf/httpd.conf
AddType application/x-httpd-php .php .phtml

AddType application/x-httpd-php-source .phps
reload apache
3. 最后一步
phpinfo() 测试文件复杂到apache目录
例 25.1. index.php
<?php phpinfo(); ?>
--with-snmp
redhat as4 启用 --with-snmp 需要安装下面包
rpm -i elfutils-libelf-devel-0.97.1-3.i386.rpm

第 25 章 LAMP
rpm -i elfutils-devel-0.97.1-3.i386.rpm
rpm -i beecrypt-devel-3.1.0-6.i386.rpm
rpm -i net-snmp-devel-5.1.2-11.EL4.7.i386.rpm
编译扩展模块
单独编译php扩展模块
例 25.2. php memcache
[root@websrv]# cd /usr/local/php-5.3.0/ext/xmlrpc
[root@websrv]# /usr/local/php-5.3.0/bin/phpize
[root@websrv]# ./configure --with-php-config=/usr/local/php-5.3.0/bin/php-config
[root@websrv]# make
[root@websrv]# make test
[root@websrv]# make install
Installing shared extensions: /usr/local/php-5.3.0/lib/php/extensions/no-debug-zts-
20060613/
[root@websrv]# mv /usr/local/php-5.3.0/lib/php/extensions/no-debug-zts-20060613/* /
usr/local/php-5.3.0/lib/php/extensions/
修改配置在php.ini里，配置扩展目录并添加扩展模块引用：
extension_dir = "/usr/local/php-5.3.0/lib/php/extensions/"
extension = xmlrpc.so
例 25.3. php openssl
[root@test src]# cd src/php-5.2.13/ext/openssl/

[root@test openssl]# cp config0.m4 config.m4
[root@test openssl]# /usr/local/php/bin/phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519
[root@test openssl]# ./configure --with-php-config=/usr/local/php/bin/php-config
[root@test openssl]# make && make test && make install
Thank you for helping to make PHP better.
Installing shared extensions: /usr/local/php-5.2.13/lib/php/extensions/no-debug-

第 25 章 LAMP
zts-20060613/
[root@test openssl]# cp /usr/local/php-5.2.13/lib/php/extensions/no-debug-zts-
20060613/* /usr/local/php-5.2.13/lib/php/extensions/
php.ini
extension_dir = "/usr/local/php-5.2.13/lib/php/extensions/"
extension = openssl.so
例 25.4. autolamp.sh
#!/bin/bash
HTTPD_SRC=httpd-2.2.15.tar.gz
PHP_SRC=php-5.2.13.tar.gz
MYSQL_SRC='mysql-5.1.45.tar.gz'
MYSQL_LIBS_SRC='mysql-5.1.45-linux-x86_64-glibc23.tar.gz'
SRC_DIR=$(pwd)
HTTPD_DIR=${HTTPD_SRC%%.tar.gz}
PHP_DIR=${PHP_SRC%%.tar.*}
MYSQL_DIR=${MYSQL_SRC%%.tar.*}
MYSQL_LIBS_DIR=${MYSQL_LIBS_SRC%%.tar.*}
function clean(){
rm -rf $HTTPD_DIR
rm -rf $PHP_DIR
rm -rf $MYSQL_DIR
rm -rf $MYSQL_LIBS_DIR
}
function mysql(){
rm -rf $MYSQL_DIR
tar zxf $MYSQL_SRC
cd $MYSQL_DIR
./configure \
--prefix=/usr/local/$MYSQL_DIR \
--with-mysqld-user=mysql \
--with-unix-socket-path=/tmp/mysql.sock \
--with-charset=utf8 \
--with-collation=utf8_general_ci \
--with-pthread \

第 25 章 LAMP
--with-mysqld-ldflags \
--with-client-ldflags \
--with-openssl \
--without-docs \
--without-debug \
--without-ndb-debug \
--without-bench
#-–without-isam
#--without-innodb \
#--without-ndbcluster \
#--without-blackhole \
#--without-ibmdb2i \
#--without-federated \
#--without-example \
#--without-comment \
#--with-extra-charsets=gbk,gb2312,utf8 \
#--localstatedir=/usr/local/mysql/data
#--with-extra-charsets=all
make clean
make && make install
cd ..
/usr/local/$MYSQL_DIR/bin/mysql_install_db
}
function httpd(){
rm -rf $HTTPD_DIR
tar zxf $HTTPD_SRC
cd $HTTPD_DIR
./configure --prefix=/usr/local/$HTTPD_DIR \
--with-mpm=worker \
--enable-so \
--enable-mods-shared=all \
--disable-authn_file \
--disable-authn_default \
--disable-authz_groupfile \
--disable-authz_user \
--disable-authz_default \
--disable-auth_basic \
--disable-include \
--disable-env \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgi \
--disable-cgid \
--disable-negotiation \
--disable-actions \
--disable-userdir \
--disable-alias
make clean
cd ..

第 25 章 LAMP
}
function php(){
rm -rf $MYSQL_LIBS_DIR
tar zxf $MYSQL_LIBS_SRC
rm -rf $PHP_DIR
tar zxf $PHP_SRC
cd $PHP_DIR
./configure --prefix=/usr/local/$PHP_DIR \
--with-config-file-path=/usr/local/$PHP_DIR/etc \
--with-apxs2=/usr/local/$HTTPD_DIR/bin/apxs \
--with-curl \
--with-gd \
--with-jpeg-dir=/usr/lib64 \
--with-iconv \
--with-zlib-dir \
--with-pear \
--with-libxml \
--with-dom \
--with-xmlrpc \
--with-openssl \
--with-mysql=/usr/local/mysql-5.1.45-linux-x86_64-glibc23 \
--with-mysqli \
--with-pdo-mysql \
--enable-memcache \
--enable-zip \
--enable-sockets \
--enable-soap \
--enable-mbstring \
--enable-magic-quotes \
--enable-inline-optimization \
--enable-xml
#make && make test && make install

cp /usr/local/src/$PHP_DIR/php.ini-dist /usr/local/$PHP_DIR/php.ini
}
function depend(){
yum install gcc gcc-c++ -y
yum install -y libxml2-devel libxslt-devel
yum install curl-devel -y
yum install gd-devel libjpeg-devel libpng-devel -y
yum install ncurses-devel -y
yum install mysql-devel -y
yum install libevent-devel -y
}
function java(){
#yum install java-1.6.0-openjdk -y
chmod +x jdk-6u20-linux-x64.bin
./jdk-6u20-linux-x64.bin
mv jdk1.6.0_20 ..
ln -s /usr/local/jdk1.6.0_20 /usr/local/java
}

第 25 章 LAMP
function memcached(){
MEMCACHED_PKG=memcached-1.4.5.tar.gz
MEMCACHED_SRC=memcached-1.4.5
rm -rf $MEMCACHED_SRC
tar zxf $MEMCACHED_PKG
cd $MEMCACHED_SRC
./configure --prefix=/usr/local/memcached-1.4.5
}
# See how we were called.
case "$1" in
clean)
clean
;;
httpd)
httpd
;;
php)
php
;;
mysql)
if [ -f $0 ] ; then
mysql
fi
;;
depend)
depend
;;
java)
java
;;
memcached)
memcached
;;
all)
clean
echo ##################################################
echo # $MYSQL_DIR Installing...
echo ##################################################
mysql
echo ##################################################
echo # $HTTPD_DIR Installing...
echo ##################################################
httpd
echo ##################################################
echo # $PHP_DIR Installing...
echo ##################################################
php
ln -s /usr/local/$HTTPD_DIR /usr/local/apache

第 25 章 LAMP
ln -s /usr/local/$MYSQL_DIR /usr/local/mysql
ln -s /usr/local/$PHP_DIR /usr/local/php
clean
;;
*)
echo $"Usage: $0 {httpd|php|mysql|all|clean}"
RETVAL=2
;;
esac
exit $RETVAL

installing by source 起始页 Apache 调优

Apache 调优
Apache 调优
上一页第 25 章 LAMP 下一页
Apache 调优
worker
worker
# Server-pool management (MPM specific)

Include conf/extra/httpd-mpm.conf
conf/extra/httpd-mpm.conf
mpm_worker_module
<IfModule mpm_worker_module>
ServerLimit 60
ThreadLimit 500
StartServers 5
MaxClients 15000
MinSpareThreads 100
MaxSpareThreads 600
ThreadsPerChild 300
MaxRequestsPerChild 0
</IfModule>
Listen
绑定多个IP
#Listen 80

Apache 调优
Listen 192.168.3.40:80
Listen 192.168.4.40:80
Listen 192.168.5.40:80

第 25 章 LAMP 起始页 VirtualHost

VirtualHost
VirtualHost
VirtualHost
conf/extra/httpd-vhosts.conf
or
/etc/httpd/conf.d/vhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/httpd-2.2.14/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>

Apache 调优起始页 Module
Module
Module
Module
This will not list dynamically loaded modules included using the LoadModule directive.
[root@development bin]# httpd -l

Compiled in modules:
core.c
worker.c
http_core.c
mod_so.c
Apache Status
开启Apache的status模块，需要修改httpd.conf，增加以下配置段：
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 125.76.229.113
</Location>
http://www.domain.com/server-status
Alias / AliasMatch
Alias /image /ftp/pub/image

AliasMatch ^/icons(.*) /usr/local/apache/icons$1
Redirect

Module
Redirect /service http://foo2.example.com/service

Redirect permanent /one http://example.com/two
Redirect 303 /three http://example.com/other
RedirectMatch
RedirectMatch (.*)\.gif$ http://www.domain.com$1.jpg
<VirtualHost *:80>
ServerName www.old.com
DocumentRoot /path/to/htdocs
......
<Directory "/path/to/htdocs">
RedirectMatch ^/(.*)$ http://www.new.com/$1
</Directory>
</VirtualHost>
Rewrite
Rewrite + JkMount
JkMount 与 Rewrite 同时使用时
RewriteRule ^/communtiy/top/(.*)$ /community.do?method=activeContent&id=$1 [PT]
后面用[PT]
Apache redirect domain.com to www.domain.com
$ vi .htaccess
RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain\.com
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=permanent,L]
redirect

Module
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot "/www/www.example.com/images"
ServerName images.example.com
RewriteEngine On
RewriteRule ^(.+)(jpg|gif|bmp|jpeg|ico|png|css)$ http://images.other.com/$1$2 [R]
ErrorLog "logs/images.example.com-error.log"
</VirtualHost>
Proxy
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://your.domain.com:8080/
ProxyPassReverse / http://your.domain.com:8080/
deflate
mod_deflate
httpd.conf中中加入下列语句：
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
DeflateCompressionLevel 9
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-httpd-php
AddOutputFilter DEFLATE txt css js
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
DeflateFilterNote Input input_info
DeflateFilterNote Output output_info
DeflateFilterNote Ratio ratio_info
LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
CustomLog logs/deflate_log.log deflate
</IfModule>

Module
对目录/usr/local/apache/htdocs有效
<Directory "/usr/local/apache/htdocs">
AllowOverride None
Options None
Order allow,deny
Allow from all
SetOutputFilter DEFLATE
DeflateCompressionLevel 9
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-
httpd-php
AddOutputFilter DEFLATE txt css js
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
</Directory>
Log定义
DeflateFilterNote Input input_info # 未压缩前

DeflateFilterNote Output output_info # 压缩后
DeflateFilterNote Ratio ratio_info # 百分比
LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate # 格式定义
CustomLog logs/deflate_log.log deflate # 日志位置
测试 gzip,deflate 模块
telnet www.bg7nyt.cn 80
GET /index.html HTTP/1.0

Host: www.bg7nyt.cn
Accept-Encoding: gzip,deflate
你看到的是乱码,而不是HTML.
mod_expires
ExpiresActive On
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType image/png "access plus 1 month"

Module
ExpiresByType text/html "access plus 30 minutes"

ExpiresByType text/css "access plus 30 minutes"
ExpiresByType text/js "access plus 30 minutes"
ExpiresByType application/x-javascript "access plus 30 minutes"
ExpiresByType application/x-shockwave-flash "access plus 30 minutes"
Apache Log
分割log日志文件
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{email}
C %{nickname}C" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"
combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog logs/access_log common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog logs/access_log combined
#CookieLog logs/cookie_log
</IfModule>

Module
log日志文件记录用户的cookie
跟踪用户信息
LoadModule usertrack_module modules/mod_usertrack.so
CookieTracking on
CookieDomain .chedong.com
CookieExpires "10 years"
CookieStyle Cookie
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{cookie}n"

combined
Charset
Default charset
AddCharset UTF-8 .html
AddType 'text/html; charset=UTF-8' html
AddDefaultCharset UTF-8
Files match
<FilesMatch "\.(htm|html|css|js)$">
ForceType 'text/html; charset=UTF-8'
</FilesMatch>
<FilesMatch "\.(htm|html|css|js)$">
AddDefaultCharset UTF-8
</FilesMatch>
Changing the occasional file
<Files "example.html">
AddCharset UTF-8 .html
</Files>
<Files "example.html">
ForceType 'text/html; charset=UTF-8'

Module
</Files>

VirtualHost 起始页 PHP 5

PHP 5
PHP 5
PHP 5
$ sudo apt-get install php5
netkiller@Linux-server:~$ sudo apt-get install php5
pgsql模块
netkiller@Linux-server:~$ sudo apt-get install php5-pgsql
netkiller@Linux-server:~$sudo cp /usr/lib/php5/20051025/pgsql.so /etc/php5/apache2/
php5-gd - GD module for php5
$ sudo apt-get install php5-gd
netkiller@Linux-server:~$ apt-cache search gd

libgdbm3 - GNU dbm database routines (runtime version)
libgd2-xpm - GD Graphics Library version 2
php5-gd - GD module for php5
pnm2ppa - PPM to PPA converter
postgresql-doc-8.1 - documentation for the PostgreSQL database management system
libruby1.8 - Libraries necessary to run Ruby 1.8
ruby1.8 - Interpreter of object-oriented scripting language Ruby 1.8
klogd - Kernel Logging Daemon
sysklogd - System Logging Daemon
upstart-logd - boot logging daemon
netkiller@Linux-server:~$ sudo apt-get install php5-gd
netkiller@Linux-server:~$

Module 起始页 Mod Perl
Mod Perl
Mod Perl
Mod Perl
ref: http://search.cpan.org/~agrundma/Catalyst-Engine-Apache-1.07/lib/Catalyst/Engine/
Apache2/MP20.pm
$ sudo apt-get install libapache2-mod-perl2 $ sudo apt-get install libcatalyst-

engine-apache-perl
$ sudo vi /etc/apache2/sites-available/catalyst.conf
例 25.5. mod_perl.conf
PerlSwitches -I/var/www/MyApp/lib
# Preload your entire application
PerlModule MyApp
<VirtualHost 192.168.245.129:80>
ServerName 192.168.245.129
DocumentRoot /var/www/MyApp/root
<Directory /var/www/MyApp/root>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# If the server is started as:

# httpd -X -D PERLDB
# then debugging will be turned on
# <IfDefine PERLDB>
# PerlRequire conf/db.pl
# <Location />

Mod Perl
# PerlFixupHandler Apache::DB
# </Location>
# </IfDefine>
<Location />
SetHandler modperl
PerlResponseHandler MyApp
</Location>
Alias /static /var/www/MyApp/root/static

<Location /static>
SetHandler default-handler
</Location>
</VirtualHost>
db.pl
use APR::Pool ();

use Apache::DB ();
Apache::DB->init();
enable site
$ sudo a2ensite mod_perl.conf

$ sudo /etc/init.d/apache2 restart

PHP 5 起始页 Error Prompt

Error Prompt
Error Prompt
Error Prompt
Invalid command 'Order', perhaps misspelled or defined by a module not

没有加载 mod_authz_host 模块
LoadModule authz_host_module modules/mod_authz_host.so
Invalid command 'AuthUserFile', perhaps misspelled or defined by a module

not included in the server configuration
LoadModule auth_basic_module /usr/lib/apache2/modules/mod_auth_basic.so

LoadModule authz_owner_module /usr/lib/apache2/modules/mod_authz_owner.so
LoadModule authn_file_module /usr/lib/apache2/modules/mod_authn_file.so

Mod Perl 起始页第 26 章 Tomcat 安装与配置
第 26 章 Tomcat 安装与配置
目录
install java
install tomcat
Connector
mod_jk
mod_proxy_ajp
Testing file
Script 1
Shell Script 2
install java
解压安装
chmod +x jdk-6u1-linux-i586.bin
./jdk-6u1-linux-i586.bin
输入"yes"回车
mv jdk1.6.0_01 /usr/local/
ln -s /usr/local/jdk1.6.0_01/ /usr/local/java
/etc/profile.d/java.sh
例 26.1. /etc/profile.d/java.sh
################################################
### Java environment
################################################
export JAVA_HOME=/usr/local/java
export JRE_HOME=/usr/local/java/jre
export PATH=$PATH:/usr/local/java/bin:/usr/local/java/jre/bin
export CLASSPATH="./:/usr/local/java/lib:/usr/local/java/jre/lib:/usr/local/

memcached/api/java"
export JAVA_OPTS="-Xms512m -Xmx1024m"

Error Prompt 起始页 install tomcat

install tomcat
install tomcat
上一页第 26 章 Tomcat 安装与配置下一页
install tomcat
下载binary解压到/usr/local/
下载软件包
wget http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.13/bin/apache-tomcat-6.0.13.
tar.gz
wget http://archive.apache.org/dist/tomcat/tomcat-connectors/native/tomcat-native-
1.1.10-src.tar.gz
wget http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/source/jk-1.2.23/
tomcat-connectors-1.2.23-src.tar.gz
tar zxvf apache-tomcat-6.0.13.tar.gz

mv apache-tomcat-6.0.13 /usr/local/
ln -s /usr/local/apache-tomcat-6.0.13/ /usr/local/tomcat
tomcat-native
tar zxvf tomcat-native-1.1.10-src.tar.gz

cd tomcat-native-1.1.10-src/jni/native
./configure --with-apr=/usr/local/apache/bin/apr-1-config --with-java-home=/usr/
local/java/
make
make install
catalina.sh
CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"
JAVA_OPTS="-Xss128k -Xms128m -Xmx1024m -XX:PermSize=128M -XX:MaxPermSize=256m -XX:
MaxNewSize=256m"
启动
startup.sh

install tomcat

第 26 章 Tomcat 安装与配置起始页 Connector

Connector
Connector
Connector
vi conf/server.xml
<Connector port="8009"
maxThreads="18000"
minSpareThreads="100"
maxSpareThreads="500"
enableLookups="false"
acceptCount="15000"
connectionTimeout="30000"
redirectPort="8443"
disableUploadTimeout="true"
URIEncoding="UTF-8"
protocol="AJP/1.3"/>
压缩传送数据
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
如果你的站点编码非UTF-8,去掉URIEncoding="UTF-8"使用下面选项.
useBodyEncodingForURI="true"

install tomcat 起始页 mod_jk
mod_jk
mod_jk
mod_jk
mod_jk 安装
tar zxvf tomcat-connectors-1.2.23-src.tar.gz

cd tomcat-connectors-1.2.23-src/native/
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
chmod 755 /usr/local/apache/modules/mod_jk.so
httpd.conf 尾部加入
Include conf/mod_jk.conf
配置workers.properties
apache/conf/workers.properties
# Define 1 real worker using ajp13

worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009
worker.worker1.lbfactor=1
worker.worker1.cachesize=128
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

mod_jk
mod_jk.conf
apache/conf/mod_jk.conf
[chenjingfeng@d3010 Includes]$ cat mod_jk.conf

<IfModule mod_jk.c>
# Load mod_jk module
LoadModule jk_module modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /usr/local/apache/conf/workers.properties
# Where to put jk logs
JkLogFile /usr/local/apache/logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel error
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
JkShmFile /usr/local/apache2/logs/mod_jk.shm
# Send jsp,servlet for context * to worker named worker1
JkMount /status/* worker1
JkMount /*.jsp worker1
JkMount /*.jsps worker1
JkMount /*.do worker1
JkMount /*Servlet worker1
JkMount /jk/* worker1
</IfModule>
分别测试apache,tomcat

Connector 起始页 mod_proxy_ajp

mod_proxy_ajp
mod_proxy_ajp
mod_proxy_ajp
包含虚拟主机配置文件
# vi conf/httpd.conf
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
虚拟主机中配置ProxyPass,ProxyPassReverse
# vi conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
ServerName netkiller.8800.org
ProxyPass /images !
ProxyPass /css !
ProxyPass /js !
ProxyPass /ajp ajp://localhost:8009/ajp
ProxyPassReverse /ajp ajp://localhost:8009/ajp
</VirtualHost>
反向代理和均衡负载模块
LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
ProxyPass /admin balancer://tomcatcluster/admin lbmethod=byrequests

mod_proxy_ajp
stickysession=JSESSIONID nofailover=Off timeout=5 maxattempts=3

ProxyPassReverse /admin balancer://tomcatcluster/admin
<Proxy balancer://tomcatcluster>
BalancerMember ajp://localhost:8009 route=web1
BalancerMember ajp://localhost:10009 smax=10 route=web2
BalancerMember ajp://localhost:11009 route=web3
BalancerMember ajp://localhost:12009 smax=10 route=web4
</Proxy>

mod_jk 起始页 RewriteEngine 连接 Tomcat

RewriteEngine On
RewriteRule ^/(.*) ajp://localhost:8009/ajp/$1 [P]

RewriteRule ^/(.*\.(jsp|do|sevlet)) ajp://localhost:8009/ajp/$1 [P]

mod_proxy_ajp 起始页 Testing file
Testing file
Testing file
Testing file
测试目录
[root@backup tomcat]# mkdir webapps/ajp

[root@backup tomcat]# mkdir webapps/jk
[root@backup tomcat]# vi webapps/ajp/index.jsp
[root@backup tomcat]# vi webapps/jk/index.jsp
测试文件
cat index.jsp
<%@ page contentType="text/html;charset=utf-8"%>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>apache+tomcat</title>
</head>
<body>
<%="It works!"%>
<%=new java.util.Date()%>
</body>
</html>

RewriteEngine 连接 Tomcat 起始页 Script 1
Script 1
Script 1
Script 1
#!/bin/bash
##############################################################
# Script for Apache and Tomcat
# File:/etc/rc.d/init.d/www
##############################################################
# Setup environment for script execution
#
# description: Starts and stops the apache and tomcat daemons \
# used to provide Neo Chen
#
# pidfile: /var/run/www/apache.pid
# pidfile: /var/run/www/tomcat.pid
# config: /etc/apache2/apache2.conf
#APACHE_HOME=/usr/local/apache
#TOMCAT_HOME=/usr/local/tomcat
#APACHE_USER=apache
#TOMCAT_USER=tomcat
APACHE_HOME=/usr/local/apache-evaluation
TOMCAT_HOME=/usr/local/apache-tomcat-evaluation
APACHE_USER=root
TOMCAT_USER=root
OPEN_FILES=20480
# Source function library.

if [ -f /etc/init.d/functions ] ; then
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
if [ ! -d /var/run/www ] ; then
mkdir /var/run/www
fi
if [ -f /var/lock/subsys/tomcat ] ; then

Script 1
echo " "

fi
start() {
if [ ùlimit -n` != ${OPEN_FILES} ]; then
ulimit -n ${OPEN_FILES}
fi
echo -en "\\033[1;32;1m"
echo "Starting Tomcat $TOMCAT_HOME ..."
echo -en "\\033[0;39;1m"
if [ -s /var/run/www/tomcat.pid ]; then
echo "tomcat (pid `cat /var/run/www/tomcat.pid`) already running"
else
su - ${TOMCAT_USER} -c "$TOMCAT_HOME/bin/catalina.sh start > /dev/
null"
echo `pgrep java` > /var/run/www/tomcat.pid
touch /var/lock/subsys/tomcat
fi
sleep 2
echo -en "\\033[1;32;1m"
echo "Starting Apache $APACHE_HOME ..."
echo -en "\\033[0;39;1m"
su - ${APACHE_USER} -c "$APACHE_HOME/bin/apachectl start"
touch /var/lock/subsys/apache
}
stop() {
echo -en "\\033[1;32;1m"
echo "Shutting down Apache $APACHE_HOME ..."
echo -en "\\033[0;39;1m"
su - ${APACHE_USER} -c "$APACHE_HOME/bin/apachectl stop"
sleep 2
echo -en "\\033[1;32;1m"
echo "Shutting down Tomcat $TOMCAT_HOME ..."
echo -en "\\033[0;39;1m"
su - ${TOMCAT_USER} -c "$TOMCAT_HOME/bin/catalina.sh stop > /dev/null"
rm -rf /var/run/www/tomcat.pid
rm -f /var/lock/subsys/tomcat
rm -f /var/lock/subsys/apache
}
restart() {
stop
if [ "`pgrep java`" = "" ]&& [ "`pgrep httpd`" = "" ]; then
start
exit 0
else
echo "Usage: $0 killall (^C)"
echo -n "Waiting: "
fi
while true;
do

Script 1
sleep 1
if [ "`pgrep java`" = "" ] && [ "`pgrep httpd`" = "" ]; then
break
else
echo -n "."
#echo -n "Enter your [y/n]: "; read ISKILL;
fi
done
echo
start
}
status() {
ps -aux | grep -e tomcat -e apache
echo -en "\\033[1;32;1m"

echo ulimit open files: ùlimit -n`
echo -en "\\033[0;39;1m"
echo -en "\\033[1;32;1m"

echo -en "httpd count:"
ps axf|grep httpd|wc -l
echo -en "\\033[0;39;1m"
}
killall() {
if [ "`pgrep httpd`" != "" ]; then
echo -en "\\033[1;32;1m"
echo "kill Apache pid(`pgrep httpd`) ..."
kill -9 `pgrep httpd`
echo -en "\\033[0;39;1m"
fi
if [ "`pgrep java`" != "" ]; then
echo -en "\\033[1;32;1m"
echo "kill Tomcat pid(`pgrep java`) ..."
kill -9 `pgrep java`
echo -en "\\033[0;39;1m"
fi
}
# Determine and execute action based on command line parameter

case "$1" in
start)
start
;;
stop)
stop
;;

Script 1
restart)
restart
;;
status)
status
;;
killall)
killall
;;
*)
echo -en "\\033[1;32;1m"
echo "Usage: $1 {start|stop|restart|status|killall}"
echo -en "\\033[0;39;1m"
;;
esac
echo -en "\\033[0;39;m"
exit 0

Testing file 起始页 Shell Script 2

Shell Script 2
Shell Script 2
Shell Script 2
Apache,Tomcat 运行脚本
例 26.2. /etc/rc.d/init.d/www
#!/bin/bash
##############################################################
# Script for Apache and Tomcat
# File:/etc/rc.d/init.d/www
##############################################################
# Setup environment for script execution
#
# description: Starts and stops the apache and tomcat daemons \
# used to provide Neo Chen<openunix@163.com>
#
# pidfile: /var/run/www/apache.pid
# pidfile: /var/run/www/tomcat.pid
# config: /etc/apache2/apache2.conf
#APACHE_HOME=/usr/local/apache
#TOMCAT_HOME=/usr/local/tomcat
#APACHE_USER=apache
#TOMCAT_USER=tomcat
APACHE_HOME=/usr/local/apache
TOMCAT_HOME=/usr/local/tomcat
APACHE_USER=root
TOMCAT_USER=root
WAIT_TIME=10
get_apache_pid(){
APACHE_PID=`pgrep -o httpd`
echo $APACHE_PID
}
get_tomcat_pid(){
TOMCAT_PID=`ps axww | grep catalina.home | grep -v 'grep' | sed q | awk '{print
$1}'`
echo $TOMCAT_PID
}
#OPEN_FILS=40960

Shell Script 2
# Source function library.

#if [ -f /etc/init.d/functions ] ; then
# . /etc/init.d/functions
#elif [ -f /etc/rc.d/init.d/functions ] ; then
# . /etc/rc.d/init.d/functions
#else
# exit 0
#fi
if [ ! -d /var/run/www ] ; then
mkdir /var/run/www
fi
#if [ -f /var/lock/subsys/tomcat ] ; then

#fi
start() {
#if [ ùlimit -n` -le ${OPEN_FILES} ]; then
# ulimit -n ${OPEN_FILES}
#fi
echo -en "\\033[1;32;1m"
echo "Starting Tomcat $TOMCAT_HOME ..."
echo -en "\\033[0;39;1m"
if [ -s /var/run/www/tomcat.pid ]; then
echo "tomcat (pid `cat /var/run/www/tomcat.pid`) already running"
else
su - ${TOMCAT_USER} -c "$TOMCAT_HOME/bin/catalina.sh start > /dev/
null"
echo `get_tomcat_pid` > /var/run/www/tomcat.pid
fi
sleep 2
echo -en "\\033[1;32;1m"
echo "Starting Apache $APACHE_HOME ..."
echo -en "\\033[0;39;1m"
su - ${APACHE_USER} -c "$APACHE_HOME/bin/apachectl start"
touch /var/lock/subsys/apache
}
stop() {
echo -en "\\033[1;32;1m"
echo "Shutting down Apache $APACHE_HOME ..."
echo -en "\\033[0;39;1m"
su - ${APACHE_USER} -c "$APACHE_HOME/bin/apachectl stop"
sleep 2
echo -en "\\033[1;32;1m"
echo "Shutting down Tomcat $TOMCAT_HOME ..."
echo -en "\\033[0;39;1m"
}

Shell Script 2
restart() {
stop
sleep 2
if [ -z `get_tomcat_pid` ]&& [ -z `get_apache_pid` ]; then
start
exit 0
else
echo -n "Waiting: "
fi
while true;
do
sleep 1
if [ -z `get_tomcat_pid` ] && [ -z `get_apache_pid` ]; then
break
else
echo -n "."
fi
done
echo
start
}
k9restart() {
ISEXIT='false'
stop
for i in `seq 1 ${WAIT_TIME}`;
do
ISEXIT='true'
break
else
sleep 1
fi
done
if [ $ISEXIT == 'false' ]; then

while true;
do
ISEXIT='true'
break
fi
if [ -n `get_apache_pid` ]; then
kill -9 `pgrep httpd`
fi
if [ -n `get_tomcat_pid` ]; then
kill -9 `get_tomcat_pid`
fi
done

Shell Script 2
fi
echo
if [ $ISEXIT == 'true' ]; then

start
fi
}
status() {
#ps -aux | grep -e tomcat -e apache
echo -en "\\033[1;32;1m"

echo ulimit open files: ùlimit -n`
echo -en "\\033[0;39;1m"
echo -en "\\033[1;32;1m"

echo -en "httpd count:"
let hc=`ps axf|grep httpd|wc -l`-1
echo $hc
echo -en "apache count:"
netstat -alp | grep '*:http' | wc -l
echo -en "tomcat count:"
netstat -alp | grep '*:webcache' | wc -l
echo -en "dbconn count:"
netstat -a | grep ':3433' | wc -l
echo -en "\\033[0;39;1m"
}
kall() {
if [ `get_apache_pid` ]; then
echo -en "\\033[1;32;1m"
echo "kill Apache pid(`pgrep httpd`) ..."
kill `pgrep httpd`
echo -en "\\033[0;39;1m"
fi
if [ `get_tomcat_pid` ]; then
echo -en "\\033[1;32;1m"
echo "kill Tomcat pid(`pgrep java`) ..."
kill `pgrep java`
echo -en "\\033[0;39;1m"
fi
}
reload() {
killall -HUP httpd
}

Shell Script 2
tomcat_restart() {
sleep 2
if [ -z `get_tomcat_pid` ]; then
su - ${TOMCAT_USER} -c "$TOMCAT_HOME/bin/catalina.sh start > /dev/null"
exit 0
else
echo -n "Waiting: "
fi
while true;
do
sleep 1
if [ -z `get_tomcat_pid` ]; then
echo
break
else
echo -n "."
#echo -n "Enter your [y/n]: "; read ISKILL;
fi
done
su - ${TOMCAT_USER} -c "$TOMCAT_HOME/bin/catalina.sh start > /dev/null"
echo `get_tomcat_pid` > /var/run/www/tomcat.pid
}
# Determine and execute action based on command line parameter

case $1 in
apache)
case "$2" in
reload)
reload
;;
*)
su - ${APACHE_USER} -c "${APACHE_HOME}/bin/apachectl $2"
;;
esac
;;
tomcat)
case "$2" in
restart)
tomcat_restart
;;
*)
su - ${TOMCAT_USER} -c "${TOMCAT_HOME}/bin/catalina.sh $2"
;;
esac
;;
start)
start

Shell Script 2
;;
stop)
stop
;;
restart)
restart
;;
status)
status
;;
killall)
kall
;;
k9restart)
k9restart >/dev/null
;;
*)
echo -en "\\033[1;32;1m"
echo "Usage: $0 {start|stop|restart|status|killall|k9restart}"
echo "Usage: $0 apache {start|restart|graceful|graceful-stop|stop|reload}"
echo "Usage: $0 tomcat {debug|run|start|restart|stop|version}"
echo -en "\\033[0;39;1m"
;;
esac
echo -en "\\033[0;39;m"
exit 0
chmod 700 /etc/init.d/www

Script 1 起始页第 27 章 Resin

第 27 章 Resin
第 27 章 Resin
第 27 章 Resin
目录
安装Resin
Debian/Ubuntu
源码安装Resin
http://www.caucho.com
安装Resin
JRE
$ sudo apt-get install sun-java6-jre
下载Resin
注意: Resin Pro 与 Resin 前者要Licence
Debian/Ubuntu
$ wget http://www.caucho.com/download/resin_4.0.1-i386.deb
安装 Resin
$ sudo dpkg -i resin_4.0.1-i386.deb

第 27 章 Resin
源码安装Resin
源码安装
$ cd /usr/local/src/
$ wget http://www.caucho.com/download/resin-4.0.1.tar.gz
$ tar zxvf resin-4.0.1.tar.gz
$ sudo mv resin-4.0.1 ..
$ cd ..
$ sudo ln -s resin-4.0.1 resin
设置 resin 以服务的形式开机自启动
$ sudo cp /usr/local/resin/contrib/init.resin /etc/init.d/resin

$ sudo chmod 755 /etc/init.d/resin
$ sudo update-rc.d resin defaults 99

Shell Script 2 起始页 Compiling mod_caucho.so

上一页第 27 章 Resin 下一页
unix> ./configure --with-apxs=/usr/local/apache/bin/apxs

unix> make && make install
LoadModule caucho_module /usr/local/apache/modules/mod_caucho.so

ResinConfigServer 192.168.3.10 6802
CauchoConfigCacheDirectory /tmp
CauchoStatus yes
<Location /caucho-status>
SetHandler caucho-status
</Location>
<IfModule mod_caucho.c>
ResinConfigServer localhost 6802
<Location /caucho-status>
SetHandler caucho-status
</Location>
</IfModule>
AddHandler caucho-request jsp

<Location /servlet/*>
SetHandler caucho-request
</Location>


第 27 章 Resin 起始页第 28 章 Application Service

第 28 章 Application Service
目录
Zope
Zope
参考Python安装
1. 下载 Zope-3
wget http://www.zope.org/Products/Zope3/3.3.1/Zope-3.3.1.tgz
tar zxvf Zope-3.3.1.tgz
cd cd Zope-3.3.1
2. configure
./configure --prefix=/usr/local/Zope --with-python=/usr/local/python2.4/bin/python
make
make check
make install
3. 创建一个Zope实例
cd /usr/local/Zope
./bin/mkzopeinstance -u neo:chen -d /usr/local/Zope/webapps
cd webapps
./bin/runzope
4. 测试
http://netkiller.8800.org:8080/

Compiling mod_caucho.so 起始页 JBoss - JBoss Enterprise Middleware


上一页第 28 章 Application Service 下一页

参考Java安装
1. 下载安装 JBoss
cd /usr/local/src/
wget http://nchc.dl.sourceforge.net/sourceforge/jboss/jboss-5.0.0.Beta2.zip
unzip jboss-5.0.0.Beta2.zip
mv jboss-5.0.0.Beta2 ..
cd ..
ln -s jboss-5.0.0.Beta2 jboss
2. 运行 Jboss
cd jboss/bin
chmod +x *.sh
./run.sh

第 28 章 Application Service 起始页第 29 章 Search Engine
第 29 章 Search Engine
目录
Solr
Embedded Jetty
Jetty
Tomcat
solr-php-client
multicore
中文分词
Nutch
Solr
http://lucene.apache.org/solr/
java 采用apt-get安装
例 29.1. /etc/profile.d/java.sh
################################################
### Java environment by neo
################################################
export JAVA_HOME=/usr
export JRE_HOME=/usr
export PATH=$PATH:/usr/local/apache-tomcat/bin/:/usr/local/jetty-6.1.18/bin
export CLASSPATH="./:/usr/share/java/:/usr/local/apache-solr/example/multicore/lib"
Embedded Jetty
wget http://apache.freelamp.com/lucene/solr/1.3.0/apache-solr-1.3.0.tgz
tar zxvf apache-solr-1.3.0.tgz
ln -s apache-solr-1.3.0 ../apache-solr
cd ../apache-solr/example/
java -jar start.jar
multicore: java -Dsolr.solr.home=multicore -jar start.jar
Jetty

http://jetty.mortbay.org/jetty/
过程 29.1. apt-get install
1. install
$ sudo apt-get install libxpp3-java

$ sudo apt-get install solr-jetty
2. firewall
$ sudo ufw allow 8280
3. Testing.
http://172.16.0.1:8280/
http://172.16.0.1:8280/admin/ (user:admin, passwd:admin)
过程 29.2. source codes install
● download
wget http://dist.codehaus.org/jetty/jetty-6.1.18/jetty-
6.1.18.zip
Tomcat
http://tomcat.apache.org/
1. download
cd /usr/local/src
wget http://apache.etoak.com/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz
wget http://apache.freelamp.com/lucene/solr/1.3.0/apache-solr-1.3.0.tgz
tar zxvf apache-tomcat-6.0.20.tar.gz

ln -s apache-tomcat-6.0.20 ../apache-tomcat

tar zxvf apache-solr-1.3.0.tgz

ln -s apache-solr-1.3.0 ../apache-solr
2. solr.xml
vim /usr/local/apache-tomcat/conf/Catalina/localhost/solr.xml
<Context docBase="/usr/local/apache-solr/dist/apache-solr-1.3.0.war"
debug="0" crossContext="true" >
<Environment name="solr/home" type="java.lang.String" value="/usr/local/
apache-solr/example/solr" override="true" />
</Context>
solr-php-client
http://code.google.com/p/solr-php-client/
wget http://solr-php-client.googlecode.com/files/SolrPhpClient.2009-03-11.tgz
tar zxvf SolrPhpClient.2009-03-11.tgz
sudo mv SolrPhpClient/Apache /usr/share/php/
multicore
solr.xml
vim /usr/local/apache-solr/example/multicore/solr.xml
<?xml version="1.0" encoding="UTF-8" ?>

<solr persistent="false">
<cores adminPath="/admin/cores">
<core name="core0" instanceDir="core0" />
<core name="core1" instanceDir="core1" />
<core name="article" instanceDir="article" />
</cores>
</solr>
core directory and config file

mkdir -p article/conf
vim article/conf/solrconfig.xml
<?xml version="1.0" encoding="UTF-8" ?>

<config>
<updateHandler class="solr.DirectUpdateHandler2" />
<requestDispatcher handleSelect="true" >
<requestParsers enableRemoteStreaming="false" multipartUploadLimitInKB="2048" />
</requestDispatcher>
<requestHandler name="standard" class="solr.
StandardRequestHandler" default="true" />
<requestHandler name="/update" class="solr.XmlUpdateRequestHandler" />
<requestHandler name="/admin/" class="org.apache.solr.handler.
admin.AdminHandlers" />
<admin>
<defaultQuery>solr</defaultQuery>
</admin>
</config>
vim article/conf/schema.xml
<?xml version="1.0" ?>

<schema name="example core zero" version="1.1">
<types>
<fieldType name="sint" class="solr.SortableIntField"
sortMissingLast="true" omitNorms="true"/>
<fieldtype name="string" class="solr.StrField"
<fieldType name="date" class="solr.DateField"
<fieldType name="text" class="solr.TextField" positionIncrementGap="100" />
</types>
<fields>

<field name="id" type="sint" indexed="true"
stored="true" multiValued="false" required="true"/>
<field name="type" type="string" indexed="true"
stored="true" multiValued="false" />
<field name="name" type="string" indexed="true"
<field name="title" type="string" indexed="true"
<field name="content" type="text" indexed="true"
<field name="timestamp" type="date" indexed="true" stored="true" default="NOW"/>
</fields>

<uniqueKey>id</uniqueKey>

<defaultSearchField>content</defaultSearchField>

<solrQueryParser defaultOperator="OR"/>
<copyField source="title" dest="content"/>
<copyField source="name" dest="content"/>
</schema>

commit datas
vim test.xml
<add>
<doc>
<field name="id">1</field>
<field name="name">Hello world</field>
</doc>
<doc>
<field name="title">Title Hello world</field>
</doc>
<doc>
<field name="name">Hello world 1</field>
<field name="content">Content 1</field>
</doc>
<doc>
<field name="name">Name Neo</field>
</doc>
<doc>
<field name="name">Last Chan</field>
</doc>
</add>
java -Durl=http://localhost:8983/solr/article/update -Dcommit=yes -

jar ../exampledocs/post.jar test.xml
中文分词
ChineseTokenizerFactory
<fieldType name="text" class="solr.TextField" >

<analyzer>
<tokenizer class="org.apache.solr.analysis.ChineseTokenizerFactory"/>
</analyzer>
</fieldType>

CJK
<fieldType name="text" class="solr.TextField" positionIncrementGap="100">

<analyzer>
<tokenizer class="solr.CJKTokenizerFactory"/>
</analyzer>
</fieldType>
mmseg4j
http://code.google.com/p/mmseg4j/
install
$ wget http://mmseg4j.googlecode.com/files/mmseg4j-1.7.2.zip
$ unzip mmseg4j-1.7.2.zip
$ mkdir /usr/local/apache-solr/example/multicore/lib
$ cp /usr/local/src/mmseg4j-1.7.2/mmseg4j-all-1.7.2.jar /usr/local/apache-
solr/example/multicore/lib
$ cd mmseg4j-1.7.2/
test
$ java -Dmmseg.dic.path=/usr/local/apache-solr/example/solr -jar mmseg4j-all-

1.7.2.jar 这里是字符串
$ java -Dmmseg.dic.path=/usr/local/apache-solr/example/solr -cp .:mmseg4j-all-
1.7.2.jar com.chenlb.mmseg4j.example.Simple 这里是字符串
$ java -Dmmseg.dic.path=/usr/local/apache-solr/example/solr -cp .:mmseg4j-all-
1.7.2.jar com.chenlb.mmseg4j.example.MaxWord 这里是字符串
mmseg4j 在 solr 中主要支持两个参数：mode、dicPath。mode 表示是什么模式分词（有效值：simplex、

complex、max-word，如果输入了无效的默认用 max-word。）。dicPath 是词库目录可以是绝对目录，也可以是相
对目录（是相对 solr.home 目录下的，dic 就会在 solr.home/dic 目录下找词库文件），如果不指定就是默认在
CWD/data 目录（程序运行当前目录的data子目录）下找。
分词例子
<fieldtype name="textComplex" class="solr.TextField">

<analyzer>
<tokenizer class="com.chenlb.mmseg4j.solr.MMSegTokenizerFactory"
mode="complex" dicPath="dic">
</tokenizer>
</analyzer>
</fieldtype>
<fieldtype name="textMaxWord" class="solr.TextField">

<analyzer>
mode="max-word" dicPath="dic">
</tokenizer>
</analyzer>
</fieldtype>
<fieldtype name="textSimple" class="solr.TextField">

<analyzer>
mode="simple" dicPath="/usr/local/apache-solr/example/
solr/my_dic">
</tokenizer>
</analyzer>
</fieldtype>
添加到schema.xml
<fieldType name="text" class="solr.TextField" positionIncrementGap="100" >

<analyzer>
<tokenizer class="com.chenlb.mmseg4j.solr.
MMSegTokenizerFactory" mode="complex" dicPath="dic"/>
<filter class="solr.LowerCaseFilterFactory"/>
</analyzer>
</fieldType>
http://localhost:8080/solr/admin/analysis.jsp 在 Field 的下拉菜单选择 name，然后在应用输入 complex。可以

看 mmseg4j 的分词的结果.
中文分词“庖丁解牛” Paoding Analysis
$ mkdir paoding-analysis-2.0.4-beta
$ cd paoding-analysis-2.0.4-beta/
$ wget http://paoding.googlecode.com/files/paoding-analysis-2.0.4-beta.zip
$ unzip paoding-analysis-2.0.4-beta.zip
$ cp paoding-analysis.jar /usr/local/apache-solr/example/multicore/lib/
ChineseTokenizerFactory


JBoss - JBoss Enterprise Middleware 起始页 Nutch

Nutch
Nutch
上一页第 29 章 Search Engine 下一页
Nutch
http://lucene.apache.org/nutch/
How to Setup Nutch and Hadoop
http://wiki.apache.org/nutch/NutchHadoopTutorial
1. 下载
$ wget http://apache.etoak.com/lucene/nutch/nutch-1.0.tar.gz
$ tar zxvf nutch-1.0.tar.gz
$ sudo cp -r nutch-1.0 ..
$ cd ..
$ sudo ln -s nutch-1.0 apache-nutch
2. 创建文件myurl
$ cd apache-nutch
$ mkdir urls
$ vim urls/myurl
http://netkiller.8800.org/
3. 配置文件 crawl-urlfilter.txt
编辑conf/crawl-urlfilter.txt文件，修改MY.DOMAIN.NAME部分，把它替换为你想要抓取的域名
$ cp conf/crawl-urlfilter.txt conf/crawl-urlfilter.txt.old
$ vim conf/crawl-urlfilter.txt
# accept hosts in MY.DOMAIN.NAME

+^http://([a-z0-9]*\.)*MY.DOMAIN.NAME/
修改为：
# accept hosts in MY.DOMAIN.NAME
+^http://([a-z0-9]*\.)*netkiller.8800.org/
4. http.agent.name
$ vim conf/nutch-site.xml
<?xml version="1.0"?>

Nutch
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>

<configuration>
<property>
<name>http.agent.name</name>
<value>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624
Firefox/3.5</value>
<description>HTTP 'User-Agent' request header. MUST NOT be empty -
please set this to a single word uniquely related to your organization.
NOTE: You should also check other related properties:
http.robots.agents
http.agent.description
http.agent.url
http.agent.email
http.agent.version
and set their values appropriately.
</description>
</property>
<property>
<name>http.agent.description</name>
<value></value>
<description>Further description of our bot- this text is used in
the User-Agent header. It appears in parenthesis after the agent name.
</description>
</property>
<property>
<name>http.agent.url</name>
<value>http://netkiller.8800.org/robot.html</value>
<description>A URL to advertise in the User-Agent header. This will
appear in parenthesis after the agent name. Custom dictates that this
should be a URL of a page explaining the purpose and behavior of this
crawler.
</description>
</property>
<property>
<name>http.agent.email</name>
<value>openunix@163.com</value>
<description>An email address to advertise in the HTTP 'From' request
header and User-Agent header. A good practice is to mangle this
address (e.g. 'info at example dot com') to avoid spamming.
</description>
</property>
</configuration>

Nutch
5. 运行以下命令行开始工作
$ bin/nutch crawl urls -dir crawl -depth 3 -threads 5
bin/nutch crawl <your_url> -dir <your_dir> -depth 2 -threads 4 >&logs/logs1.log
urls 存放需要爬行的url文件的目录，即目录/nutch/urls。
-dir dirnames 设置保存所抓取网页的目录.
-depth depth 表明抓取网页的层次深度
-delay delay 表明访问不同主机的延时，单位为“秒”
-threads threads 表明需要启动的线程数
-topN 50 topN 一个网站保存的最大页面数。
$ nohup bin/nutch crawl /usr/local/apache-nutch/urls -dir /usr/local/apache-nutch/

crawl -depth 5 -threads 50 -topN 50 > /tmp/nutch.log &
6. depoly
$ cd /usr/local/apache-tomcat/conf/Catalina/localhost
$ vim nutch.xml
<Context docBase="/usr/local/apache-nutch/nutch-1.0.war" debug="0"
crossContext="true" >
</Context>
searcher.dir
$ vim /usr/local/apache-tomcat/webapps/nutch/WEB-INF/classes/nutch-site.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>

<configuration>
<property>
<name>searcher.dir</name>
<value>/usr/local/apache-nutch/crawl</value>
</property>
</configuration>

Nutch
test
http://172.16.0.1:8080/nutch/

第 29 章 Search Engine 起始页第 30 章 Web Server Optimization

第 30 章 Web Server Optimization


目录
ulimit
open files
php.ini
Resource Limits
File Uploads
Session Shared
PATHINFO
Zend Optimizer
eaccelerator
Memcached
编译安装
debian/ubuntu
khttpd
系统配置
1. Intel(R) Xeon(TM) CPU 3.00GHz

2. Memory 4G
3. Ethernet adapter 1000M
ulimit
查看 ulimit
ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited

pending signals (-i) 1024

max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
stack size (kbytes, -s) 2048
cpu time (seconds, -t) unlimited
max user processes (-u) 77824
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
open files
对于linux系统，所有设备都以映射为设备文件的方式存在，包括硬件（键盘，鼠标，打印机，显
示器，串口，并口，USB，硬盘，内存，网卡，声卡，显卡，等等....），还有软件(管道，
socket)，访问这些资源，就相当与打开一个文件，
所以"open files"文件数限制很重要，默认值根本不能满足我们。
查看文件打开数
$ cat /proc/sys/fs/file-nr
3200 0 197957
已分配文件句柄的数目已使用文件句柄的数目文件句柄的最大数目
查看所有进程的文件打开数
lsof |wc -l
查看某个进程打开的文件数
lsof -p pid |wc -l
临时更改
# ulimit -n 65536
or
# ulimit -SHn 65536
or

# echo "65535" > /proc/sys/fs/file-max
永久更改
/etc/security/limits.conf
nobody soft nofile 40960

root soft nofile 40960
nobody hard nofile 40960
root hard nofile 40960
daemon soft nofile 40960
daemon hard nofile 40960
更省事的方法
* soft nofile 40960

* hard nofile 40960
最大线程数限制 threads-max
查看当前值
# cat /proc/sys/kernel/threads-max
32624
设置
有多种方法加大Linux的threads数，下买是临时更改
１、sysctl -w kernel.threads-max=65536
２、echo 65536 > /proc/sys/kernel/threads-max

永久修改
编辑/etc/sysctl.conf
增加
kernel.threads-max = 65536
#sysctl -p 马上生效
以上数值仅供参考，随着计算机发展，上面的值已经不太适合，当前流行的服务器。

Nutch 起始页 php.ini

php.ini
php.ini
上一页第 30 章 Web Server Optimization 下一页
php.ini
Resource Limits
Resource Limits
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30 ; Maximum execution time of each script, in seconds

max_input_time = 60 ; Maximum amount of time each script may spend parsing request
data
;max_input_nesting_level = 64 ; Maximum input variable nesting level
memory_limit = 512M ; Maximum amount of memory a script may consume (16MB)
File Uploads
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
; Whether to allow HTTP file uploads.

file_uploads = On
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
;upload_tmp_dir =
; Maximum allowed size for uploaded files.

upload_max_filesize = 5M
Session Shared
编辑 php.ini 在 [Session]位置添加。
extension=memcache.so
memcache.allow_failover = 1
memcache.max_failover_attempts = 20
memcache.chunk_size = 8192

php.ini
memcache.default_port = 11211
session.save_handler = memcache
session.save_path = "udp://172.16.0.10:11211,tcp://172.16.0.11:11211"
PATHINFO
cgi.fix_pathinfo=1

第 30 章 Web Server Optimization 起始页 APC Cache (php-apc - APC (Alternative PHP
Cache) module for PHP 5)

APC Cache (php-apc - APC (Alternative PHP Cache) module

for PHP 5)
$ apt-cache search php-apc

php-apc - APC (Alternative PHP Cache) module for PHP 5
$ sudo apt-get install php-apc
apc cache 状态监控
http://pecl.php.net/package/APC
下载解包找到apc.php,放到web服务器上

php.ini 起始页 Zend Optimizer
Zend Optimizer
Zend Optimizer
Zend Optimizer
http://www.zend.com/
tar zxvf ZendOptimizer-3.2.8-linux-glibc21-i386.tar.gz

cd ZendOptimizer-3.2.8-linux-glibc21-i386
./install
过程 30.1. 安装 Zend Optimizer
1. 欢迎界面
┌──────────────────── Zend Optimizer 3.2.8 ─────────────────────┐

│ │
│ Welcome to the Zend Optimizer 3.2.8 Installation! │
│ │
│ For more information regarding this procedure, please see the │
│ Zend Optimizer Installation Guide. │
│ │
│ │
├───────────────────────────────────────────────────────────────┤
│ < OK > │
└───────────────────────────────────────────────────────────────┘
单击 < OK > 按钮
2. LICENSE

Zend Optimizer
Page Down / Page Up 阅读
┌─────────────────────────── Zend Optimizer 3.2.8 ────────────────────────────┐

│ ZEND LICENSE AGREEMENT │
│ Zend Optimizer │
│ │
│ ZEND TECHNOLOGIES LTD. ("ZEND") SOFTWARE LICENSE AGREEMENT ("AGREEMENT") │
│ │
│ IMPORTANT: READ THESE TERMS CAREFULLY BEFORE INSTALLING THE SOFTWARE KNOWN │
│ AS THE "ZEND OPTIMIZER," AS INSTALLED BY THIS INSTALLATION PROCESS, IN │
│ MACHINE-EXECUTABLE FORM ONLY, AND ANY RELATED DOCUMENTATION (COLLECTIVELY, │
│ THE "SOFTWARE") BY INSTALLING, OR OTHERWISE USING THIS SOFTWARE, YOU (THE │
│ "LICENSEE") ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, AND THAT YOU │
│ AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO ALL │
│ OF THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU ARE NOT AN AUTHORIZED │
│ USER OF THE SOFTWARE AND IT IS YOUR RESPONSIBILITY TO EXIT THIS │
│ INSTALLATION PROGRAM WITHOUT INSTALLING THE SOFTWARE, OR TO DELETE THE │
│ SOFTWARE FROM YOUR COMPUTER. │
│ │
│ 1. License. Subject to the terms and conditions of this Agreement, │
│ including, without limitation, Section 2 hereof, Zend hereby grants to │
│ Licensee, during the Term (as defined below), a limited, a non-exclusive │
│ license (the "License") to: (i) install and operate the Software on a │
│ computer or a computer network owned or operated by Licensee; (ii) make │
│ copies of the Software; and (iii) sublicense and distribute a limited, │
│ non-exclusive sublicense to install, use and sublicense such copies of the │
│ Software, provided that any sub-license granted hereunder shall be subject │
│ to the limitations and restrictions set forth in this Agreement. │
│ │
│ 2. Restrictions. Except as otherwise expressly set forth herein, Licensee │
│ or any of its sub-licensees shall not: (a) translate or decompile, or │
│ create or attempt to create, by reverse engineering or otherwise, the │
│ source code form from the object code supplied hereunder; (b) modify, │
│ adapt, translate or create a derivative work from the Software; (c) remove │
│ any proprietary notices, labels, or marks on the Software. │
│ │
│ 3. Termination. This Agreement and the License hereunder shall be in │
│ effect from and after the date Licensee installs the Software on a │
Zend Optimizer
│ computer in accordance with the terms and conditions hereof and shall │
│ continue perpetually unless terminated in accordance with this Section 3. │
│ This Agreement shall be automatically terminated upon any breach by │
│ Licensee of any term or condition of this Agreement. Such period shall be │
├─────────────────────────────────────────────────────────────────────( 21%)──┤
│ < EXIT > │
└─────────────────────────────────────────────────────────────────────────────┘
单击 < EXIT > 按钮

3. 是否接受LICENSE?
┌─────────────────────────── Zend Optimizer 3.2.8 ───────────────────────────┐

│ │
│ IMPORTANT: │
│ BY SELECTING THE 'YES' OPTION BELOW, DOWNLOADING, INSTALLING, OR │
│ OTHERWISE USING THIS SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THE │
│ LICENSE AGREEMENT, AND THAT YOU AGREE TO BE BOUND BY ITS TERMS AND │
│ CONDITIONS. │
│ IF YOU DO NOT AGREE TO ALL OF THE TERMS AND CONDITIONS OF SUCH AGREEMENT, │
│ YOU ARE NOT AN AUTHORIZED USER OF THE SOFTWARE AND IT IS YOUR │
│ RESPONSIBILITY TO EXIT THIS DOWNLOADING/INSTALLATION PROCESS WITHOUT │
│ DOWNLOADING OR INSTALLING THE SOFTWARE BY SELECTING THE 'NO' OPTION BELOW, │
│ AND TO DELETE THE SOFTWARE FROM YOUR COMPUTER. │
│ │
│ │
│ Do you accept the terms of this license? │
│ │
├────────────────────────────────────────────────────────────────────────────┤
│ < Yes > < No > │
└────────────────────────────────────────────────────────────────────────────┘
单击 < Yes > 按钮

Zend Optimizer
4. Zend Optimizer 安装路径
┌─────────────────── Zend Optimizer 3.2.8 ───────────────────┐

│ │
│ Please specify the location for installing Zend Optimizer: │
│ │
│ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │/usr/local/Zend │ │
│ └────────────────────────────────────────────────────────┘ │
├────────────────────────────────────────────────────────────┤
│ < OK > <Cancel> │
└────────────────────────────────────────────────────────────┘
建议安装在/usr/local/Zend_3.2.8
5. php.ini 安装路径
┌───────── Zend Optimizer 3.2.8 ──────────┐

│ │
│ Enter the location of your php.ini file │
│ │
│ ┌─────────────────────────────────────┐ │
│ │/usr/local/php/etc │ │
│ └─────────────────────────────────────┘ │
├─────────────────────────────────────────┤
│ < OK > <Cancel> │
└─────────────────────────────────────────┘

Zend Optimizer
输入php.ini安装路径
6. 是否使用了Apache？
┌────── Zend Optimizer 3.2.8 ──────┐

│ │
│ Are you using Apache Web server? │
│ │
├──────────────────────────────────┤
│ < Yes > < No > │
└──────────────────────────────────┘
我的环境是 lighttpd 所以选择 No
单击 < Yes > 按钮

7. 提示信息
┌─────────────────────────────────── Zend Optimizer

3.2.8 ───────────────────────────────────┐
│ │
│ The following configuration changes have
been made: │
│ │
│ - The php.ini file has been relocated from /usr/local/php/etc to /usr/
local/Zend_3.2.8/etc │
│ │
│ - A symbolic link for the php.ini file has been created in /usr/local/
php/etc. │
│ │
│ - The original php.ini was backed
up to │
│ /usr/local/php/etc/php.ini-
Zend Optimizer
zend_optimizer.bak │
│ │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ <
OK > │
└────────────────────────────────────────────────────────────────────────────────────────────┘
8. 安装完成
┌───────────────────────── Zend Optimizer 3.2.8 ─────────────────────────┐

│ │
│ The installation has completed successfully. │
│ Zend Optimizer is now ready for use. │
│ You must restart your Web server for the modifications to take effect. │
│ │
├────────────────────────────────────────────────────────────────────────┤
│ < OK > │
└────────────────────────────────────────────────────────────────────────┘

APC Cache (php-apc - APC (Alternative PHP Cache) 起始页 eaccelerator
module for PHP 5)

eaccelerator
eaccelerator
eaccelerator

Zend Optimizer 起始页 Memcached
Memcached
Memcached
Memcached
编译安装
http://www.monkey.org/~provos/libevent/
cd /usr/local/src/
wget http://www.monkey.org/~provos/libevent-1.4.13-stable.tar.gz
tar zxf libevent-1.4.13-stable.tar.gz
cd libevent-1.4.13-stable
./configure --prefix=/usr/local/libevent-1.4.13-stable
make
make install
make verify
ln -s /usr/local/libevent-1.4.13-stable /usr/local/libevent
ln -s /usr/local/libevent/lib/* /usr/lib/
ln -s /usr/local/libevent/include/* /usr/include/
ln -s /usr/local/libevent/lib/* /usr/local/lib/
ln -s /usr/local/libevent/include/* /usr/local/include/
http://www.danga.com/memcached/
cd /usr/local/src/
wget http://memcached.googlecode.com/files/memcached-1.4.5.tar.gz
tar zxf memcached-1.4.5.tar.gz
cd memcached-1.4.5
./configure --prefix=/usr/local/memcached-1.4.5 --with-libevent=/usr/local/libevent
make
make install
ln -s /usr/local/memcached-1.4.5/ /usr/local/memcached
ln -s /usr/local/memcached/bin/memcached /usr/sbin/memcached
/usr/local/memcached/bin/memcached -d -m 2048 -l 127.0.0.1 -p 11211 -u root -c 15000 -P /

tmp/memcached.pid
例 30.1. /etc/init.d/memcached
#!/bin/bash

Memcached
# memcached init file for memcached

#
# description: a distributed memory object caching system
#
# processname: /usr/sbin/memcached
# config:
# pidfile: /var/run/memcached

OPTIONS="-d -m 2048 -l 127.0.0.1 -p 11211 -u root -c 20000 -P /var/run/memcached"

USER=daemon
RETVAL=0
prog="memcached"
start() {
RETVAL=1
failure
else
daemon --user=$USER /usr/sbin/memcached $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/memcached
fi;
echo
return $RETVAL
}
stop() {
RETVAL=1
failure
else
killproc /usr/sbin/memcached
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/memcached
fi;
echo
return $RETVAL
}
reload(){
killproc /usr/sbin/memcached -HUP
RETVAL=$?
echo
return $RETVAL
}

Memcached
restart(){
stop
start
}
condrestart(){
[ -e /var/lock/subsys/memcached ] && restart
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
# reload)
# reload
# ;;
condrestart)
condrestart
;;
status)
status memcached
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
RETVAL=1
esac
exit $RETVAL
/etc/init.d/memcached
chmod +x /etc/init.d/memcached
debian/ubuntu
$ sudo apt-get install memcache

Memcached
/etc/memcached.conf
$ cat /etc/memcached.conf
# memcached default config file
# 2003 - Jay Bonci <jaybonci@debian.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.
# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# information.
-d
# Log memcached's output to /var/log/memcached

logfile /var/log/memcached.log
# Be verbose
# -v
# Be even more verbose (print client commands as well)

# -vv
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this
much
# memory
-m 64
# Default connection port is 11211

-p 11211
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u nobody
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make
sure
# it's listening on a firewalled interface.
-l 127.0.0.1
# Limit the number of simultaneous incoming connections. The daemon default is 1024
# -c 1024
# Lock down all paged memory. Consult with the README and homepage before you do this
# -k
# Return error when memory is exhausted (rather than removing items)

# -M
# Maximize core file limit

# -r

Memcached
restart
$ sudo /etc/init.d/memcached restart

eaccelerator 起始页 khttpd

khttpd
khttpd
khttpd
homepage: http://www.fenrus.demon.nl

Memcached 起始页第 31 章 Web Analysis
第 31 章 Web Analysis
目录
综合测试
awstats
webalizer
综合测试
httpd 进程
lsof -i tcp:80lsof -i tcp:443
[root@backup ~]# lsof -i tcp:80

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 14449 root 3u IPv6 32995140 TCP *:http (LISTEN)
httpd 17338 daemon 3u IPv6 32995140 TCP *:http (LISTEN)
压力测试 apache
ab -n 10000 -c 1000 http://127.0.0.1/
压力测试 tomcat
ab -n 10000 -c 1000 http://127.0.0.1:8080/

压力测试 mod_proxy_ajp
ab -n 10000 -c 1000 http://127.0.0.1/ajp/
压力测试 mod_jk
ab -n 10000 -c 1000 http://127.0.0.1/jk/

khttpd 起始页 awstats

awstats
awstats
上一页第 31 章 Web Analysis 下一页
awstats
Awstats

第 31 章 Web Analysis 起始页 webalizer
webalizer
webalizer
上一页第 31 章 Web Analysis 下一页
webalizer
Webalizer

awstats 第 32 章 varnish - a state-of-the-
起始页 art, high-performance HTTP
accelerator
第 32 章 varnish - a state-of-the-art, high-performance HTTP accelerator

第 32 章 varnish - a state-of-the-art, high-performance HTTP

accelerator
目录
Varnish Install
status
varnishadm
清除缓存
log file
Varnish Install
http://varnish.projects.linpro.no/
1. install
$ sudo apt-get install varnish
2. /etc/default/varnish
$ sudo vim /etc/default/varnish

DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-s file,/var/lib/varnish/$INSTANCE/varnish_storage.
bin,1G"

3. /etc/varnish/default.vcl
$ sudo vim /etc/varnish/default.vcl
backend default {
.host = "127.0.0.1";
.port = "8080";
}
4. reload
$ sudo /etc/init.d/varnish force-reload

* Stopping HTTP accelerator [ OK ]
* Starting HTTP accelerator

webalizer 起始页 status

status
status
第 32 章 varnish - a state-of-the-art, high-
上一页下一页
performance HTTP accelerator
status
$ varnishstat
or
$ varnishstat -n /var/lib/varnish/atom-netkiller/
HTTP Head
$ curl -I http://bg7nyt.mooo.com/
HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.2.6-3ubuntu4.2
Content-type: text/html
Server: lighttpd/1.4.19
Content-Length: 539
Date: Wed, 23 Sep 2009 00:05:11 GMT
X-Varnish: 938430316
Age: 0
Via: 1.1 varnish
Connection: keep-alive
test gzip,defalte
$ curl -H Accept-Encoding:gzip,defalte -I http://bg7nyt.mooo.com/

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.6-3ubuntu4.2
Content-Encoding: gzip
Vary: Accept-Encoding
Content-type: text/html
Server: lighttpd/1.4.19
Date: Wed, 23 Sep 2009 00:08:51 GMT
X-Varnish: 938430335
Age: 0

status
Via: 1.1 varnish

Connection: keep-alive

第 32 章 varnish - a state-of-the-art, varnishadm
起始页
high-performance HTTP accelerator

varnishadm
varnishadm
上一页下一页
varnishadm
help messages
$ varnishadm -T 127.0.0.1:6082 help

help [command]
ping [timestamp]
status
start
stop
stats
vcl.load <configname> <filename>
vcl.inline <configname> <quoted_VCLstring>
vcl.use <configname>
vcl.discard <configname>
vcl.list
vcl.show <configname>
param.show [-l] [<param>]
param.set <param> <value>
quit
purge.url <regexp>
purge.hash <regexp>
purge <field> <operator> <arg> [&& <field> <oper> <arg>]...
purge.list
清除缓存
通过Varnish管理端口，使用正则表达式批量清除缓存：
清除所有缓存

varnishadm
/usr/local/varnish/bin/varnishadm -T 127.0.0.1:6082 url.purge *

$
http://bg7nyt.mooo.com/zh-cn/technology/news.html 清除类/zh-cn/下所有缓存
/usr/local/varnish/bin/varnishadm -T 127.0.0.1:6082 url.purge /zh-

cn/
3、　　(1)、例：清除类似http://blog.s135.com/a/zhangyan.html的URL地址）：　　(2)、
例：清除类似http://blog.s135.com/tech的URL地址： /usr/local/varnish/bin/varnishadm -T
127.0.0.1:3500 url.purge w*$ 　　(3)、例：：

status 起始页 log file

log file
log file
上一页下一页
log file
log file
$ sudo vim /etc/default/varnishlog

VARNISHLOG_ENABLED=1
$ sudo /etc/init.d/varnishlog start
* Starting HTTP accelerator log deamon [ OK ]
$ sudo vim /etc/default/varnishncsa

VARNISHNCSA_ENABLED=1
$ sudo /etc/init.d/varnishncsa start
* Starting HTTP accelerator log deamon [ OK ]

varnishadm 部分 IV. File Transfer, Synchronize,
起始页
Storage And Backup/Restore
部分 IV. File Transfer, Synchronize, Storage And Backup/Restore

上一页下一页
部分 IV. File Transfer, Synchronize, Storage

And Backup/Restore
目录
33. Download Tools

下载所有图片
34. FTP (File Transfer Protocol)
ncftp
batch command
ncftpget
ncftpput
FileZilla
Proftpd + MySQL
Proftpd + OpenLDAP
35. Samba
install
smb.conf
by Example
share
user
test
显示共享目录
访问共享资源

用户登录
FAQ
36. File Synchronize
install with source
upload
download
mirror
rsync examples
rsync for windows
tsync
local
remote
config
server
node
test
37. Network Storage - Openfiler
Accounts
Volumes
RAID
iSCSI
Quota
Shares
38. Backup / Restore
Simple Backup
Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, Mac
and Windows.
39. inotify
inotify-tools


pyinotify
40. Distributed Filesystem
disk and partition
Installation
configure
Starting
Using
Coda
GlusterFS
MogileFS
Lustre
Hadoop - HDFS
上一页下一页
log file 起始页第 33 章 Download Tools

第 33 章 Download Tools
部分 IV. File Transfer, Synchronize, Storage And Backup/
上一页下一页
Restore
目录

下载所有图片

wget各种选项分类列表
* 启动
-V, –version 显示wget的版本后退出
-h, –help 打印语法帮助
-b, –background 启动后转入后台执行
-e, –execute=COMMAND 执行`.wgetrc’格式的命令，wgetrc格式参见/etc/wgetrc或~/.wgetrc
* 记录和输入文件
-o, –output-file=FILE 把记录写到FILE文件中
-a, –append-output=FILE 把记录追加到FILE文件中
-d, –debug 打印调试输出
-q, –quiet 安静模式(没有输出)
-v, –verbose 冗长模式(这是缺省设置)
-nv, –non-verbose 关掉冗长模式，但不是安静模式
-i, –input-file=FILE 下载在FILE文件中出现的URLs
-F, –force-html 把输入文件当作HTML格式文件对待
-B, –base=URL 将URL作为在-F -i参数指定的文件中出现的相对链接的前缀
–sslcertfile=FILE 可选客户端证书
–sslcertkey=KEYFILE 可选客户端证书的KEYFILE
–egd-file=FILE 指定EGD socket的文件名
* 下载
–bind-address=ADDRESS 指定本地使用地址(主机名或IP，当本地有多个IP或名字时使用)
-t, –tries=NUMBER 设定最大尝试链接次数(0 表示无限制).
-O –output-document=FILE 把文档写到FILE文件中
-nc, –no-clobber 不要覆盖存在的文件或使用.#前缀
-c, –continue 接着下载没下载完的文件
–progress=TYPE 设定进程条标记
-N, –timestamping 不要重新下载文件除非比本地文件新
-S, –server-response 打印服务器的回应

–spider 不下载任何东西
-T, –timeout=SECONDS 设定响应超时的秒数
-w, –wait=SECONDS 两次尝试之间间隔SECONDS秒
–waitretry=SECONDS 在重新链接之间等待1…SECONDS秒
–random-wait 在下载之间等待0…2*WAIT秒
-Y, –proxy=on/off 打开或关闭代理
-Q, –quota=NUMBER 设置下载的容量限制
–limit-rate=RATE 限定下载输率
* 目录
-nd –no-directories 不创建目录
-x, –force-directories 强制创建目录
-nH, –no-host-directories 不创建主机目录
-P, –directory-prefix=PREFIX 将文件保存到目录 PREFIX/…
–cut-dirs=NUMBER 忽略 NUMBER层远程目录
* HTTP 选项
–http-user=USER 设定HTTP用户名为 USER.
–http-passwd=PASS 设定http密码为 PASS.
-C, –cache=on/off 允许/不允许服务器端的数据缓存 (一般情况下允许).
-E, –html-extension 将所有text/html文档以.html扩展名保存
–ignore-length 忽略 `Content-Length’头域
–header=STRING 在headers中插入字符串 STRING
–proxy-user=USER 设定代理的用户名为 USER
–proxy-passwd=PASS 设定代理的密码为 PASS
–referer=URL 在HTTP请求中包含 `Referer: URL’头
-s, –save-headers 保存HTTP头到文件
-U, –user-agent=AGENT 设定代理的名称为 AGENT而不是 Wget/VERSION.
–no-http-keep-alive 关闭 HTTP活动链接 (永远链接).
–cookies=off 不使用 cookies.
–load-cookies=FILE 在开始会话前从文件 FILE中加载cookie
–save-cookies=FILE 在会话结束后将 cookies保存到 FILE文件中
* FTP 选项
-nr, –dont-remove-listing 不移走 `.listing’文件
-g, –glob=on/off 打开或关闭文件名的 globbing机制
–passive-ftp 使用被动传输模式 (缺省值).
–active-ftp 使用主动传输模式
–retr-symlinks 在递归的时候，将链接指向文件(而不是目录)
* 递归下载
-r, –recursive 递归下载－－慎用!
-l, –level=NUMBER 最大递归深度 (inf 或 0 代表无穷).
–delete-after 在现在完毕后局部删除文件
-k, –convert-links 转换非相对链接为相对链接
-K, –backup-converted 在转换文件X之前，将之备份为 X.orig
-m, –mirror 等价于 -r -N -l inf -nr.
-p, –page-requisites 下载显示HTML文件的所有图片
* 递归下载中的包含和不包含(accept/reject)
-A, –accept=LIST 分号分隔的被接受扩展名的列表

-R, –reject=LIST 分号分隔的不被接受的扩展名的列表

-D, –domains=LIST 分号分隔的被接受域的列表
–exclude-domains=LIST 分号分隔的不被接受的域的列表
–follow-ftp 跟踪HTML文档中的FTP链接
–follow-tags=LIST 分号分隔的被跟踪的HTML标签的列表
-G, –ignore-tags=LIST 分号分隔的被忽略的HTML标签的列表
-H, –span-hosts 当递归时转到外部主机
-L, –relative 仅仅跟踪相对链接
-I, –include-directories=LIST 允许目录的列表
-X, –exclude-directories=LIST 不被包含目录的列表
-np, –no-parent 不要追溯到父目录
setlocal ENABLEDELAYEDEXPANSION
for /l %%i in (1001,1,1162) do for /l %%j in (101,1,112) do @(
set s=%%i
set t=%%j
wget -O !s:~1,3!!t:~1,2!.jpg hxxp://www.sergeaura.net/TGP/!
s:~1,3!/images/!t:~1,2!.jpg)
endlocal
-np 的作用是不遍历父目录
-nd 不重新创建目录结构。
--accept=iso 仅下载所有扩展名为 iso 的文件
-i filename.txt 此命令常用于批量下载的情形，把所有需要下载文件的地址放到 filename.txt 中，然后 wget 就会自动

为你下载所有文件了。
-c 选项的作用为断点续传。
$ wget -m -k (-H) http://www.example.com/ 该命令可用来镜像一个网站，wget 将对链接进行转换。如果网站中

的图像是放在另外的站点，那么可以使用 -H 选项。
下载所有图片
wget --reject=htm,html,txt --accept=jpg,gif -p -m -H http://www.example.com

wget --domains=example.com --reject=htm,html,txt --accept=jpg,gif -p -m -H http://
www.example.com

部分 IV. File Transfer, Synchronize, Storage axel - A light download accelerator -

起始页
And Backup/Restore Console version


上一页第 33 章 Download Tools 下一页

axel
sudo apt-get install axel

第 33 章 Download Tools 起始页第 34 章 FTP (File Transfer Protocol)
第 34 章 FTP (File Transfer Protocol)

上一页下一页
Restore

目录
ncftp
batch command
ncftpget
ncftpput
FileZilla
Proftpd + MySQL
Proftpd + OpenLDAP
参考http://netkiller.8800.org/article/ftpserver/
ncftp
sudo apt-get install ncftp

ncftp ftp://neo@127.0.0.1
batch command
batch ftp command
neo@netkiller:~$ cat upload

#!/bin/bash
ncftp ftp://netkiller:******@netkiller.hikz.com/www/book/linux <<END_SCRIPT

put /home/neo/workspace/Development/public_html/book/linux/*.html
ncftpget

ncftpget ftp.freebsd.org . /pub/FreeBSD/README.TXT /pub/FreeBSD/index.html

ncftpget ftp.gnu.org /tmp '/pub/gnu/README.*'
ncftpget ftp://ftp.freebsd.org/pub/FreeBSD/README.TXT
ncftpget -R ftp.ncftp.com /tmp /ncftp (ncftp is a directory)
ncftpget -u gleason -p my.password Bozo.probe.net . '/home/mjg/.*rc'
ncftpget -u gleason Bozo.probe.net . /home/mjg/foo.txt (prompt for password)
ncftpget -f Bozo.cfg '/home/mjg/.*rc'
ncftpget -c ftp.freebsd.org /pub/FreeBSD/README.TXT | /usr/bin/more
ncftpget -c ftp://ftp.freebsd.org/pub/FreeBSD/README.TXT | /usr/bin/more
ncftpget -a -d /tmp/debug.log -t 60 ftp.wustl.edu . '/pub/
README*'
ncftpput
$ ncftpput -R -u netkiller -p password netkiller.hikz.com /home/netkiller/www ~/

public_html/*

axel - A light download accelerator - 起始页 FileZilla
Console version

FileZilla
FileZilla
上一页第 34 章 FTP (File Transfer Protocol) 下一页
FileZilla
http://filezilla-project.org/

第 34 章 FTP (File Transfer Protocol) 起始页 vsftpd - The Very Secure FTP
Daemon

$ sudo apt-get install vsftpd
test
[08:25:37 jobs:0] $ ncftp ftp://127.0.0.1

NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...
(vsFTPd 2.0.7)
Logging in...
Login successful.
Logged in to 127.0.0.1.
Current remote directory is /.
ncftp / >
enable local user
$ sudo vim /etc/vsftpd.conf
# Uncomment this to allow local users to log in.

local_enable=YES
$ sudo /etc/init.d/vsftpd reload
testing for local user
$ ncftp ftp://neo@127.0.0.1/
NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...
(vsFTPd 2.0.7)

Logging in...
Password requested by 127.0.0.1 for user "neo".
Please specify the password.
Password: *******
Login successful.
Logged in to 127.0.0.1.
Current remote directory is /home/neo.
ncftp /home/neo >

FileZilla ProFTPD + MySQL / OpenLDAP 用户认
起始页
证



准备工作
下载ProFTPD : ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.7.tar.gz
下载 mod_sql : http://www.lastditcheffort.org/~aah/proftpd/mod_sql/
下载mod_ldap-2.8.10 : http://www.horde.net/~jwm/software/mod_ldap/
Proftpd + MySQL
tar xvzf proftpd-version.tar.gz
cd proftpd-version
./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql
make
make install
安装成功后，测试ProFTPD，启动ProFTPD
/usr/local/proftpd/sbin/in.proftpd
如果没有显示任何信息，ProFTPD启动成功。使用系统用户登录Ftp Server
[root@linux sbin]# ftp localhost
Connected to localhost (127.0.0.1).
220 ProFTPD 1.2.7 Server (ProFTPD Default Installation) [linux.xuser.net]
Name (localhost:root):usera
331 Password required for usera.
Password:
230 User usera logged in.
Remote system type is UNIX.

Using binary mode to transfer files.
ftp>
ProFTPD测试成功，关闭ProFTPD
killall in.proftpd
编辑proftpd.conf文件
vi /usr/local/proftpd/etc/proftpd.conf
添加下面几行参数
<Global>
SQLConnectInfo ftpusers@localhost:3306 root chen
SQLAuthTypes Plaintext
SQLUserInfo users userid passwd uid gid homedir NULL
RequireValidShell off
SQLAuthenticate users groups usersetfast groupsetfast
</Global>
格式说明：
SQLConnectInfo 数据库@主机名:端口用户密码
SQLAuthTypes 密码类型（Plaintext明文密码，Crypt DES密码，Backend MySQL password()函数产生的

密码）
SQLUserInfo [用户表] [用户名字段] [密码字段] [用户ID] [组ID] [用户目录] NULL
创建ftpusers.sql文件
[mysql@linux mysql]$ vi ftpusers.sql
-- MySQL dump 8.22
--
-- Host: localhost Database: proftpd

---------------------------------------------------------
-- Server version 3.23.52-max
--
-- Table structure for table 'groups'
--
CREATE TABLE groups (
groupname varchar(255) binary NOT NULL default '',
gid int(11) NOT NULL default '0',
members text NOT NULL,
PRIMARY KEY (groupname)
) TYPE=MyISAM;
--
-- Dumping data for table 'groups'
--
INSERT INTO groups VALUES ('nogroup',502,'FTP Group');
--
-- Table structure for table 'users'
--
CREATE TABLE users (

userid varchar(255) binary NOT NULL default '',
passwd varchar(255) binary NOT NULL default '',
uid int(11) default NULL,
gid int(11) default NULL,
homedir varchar(255) default NULL,
shell varchar(255) default NULL,
count int(11) default NULL,
used double(10,1) default '0.0',
quota double(10,1) default '10000000.0',
PRIMARY KEY (userid)
) TYPE=MyISAM;
--
-- Dumping data for table 'users'
--
INSERT INTO users VALUES ('chen','chen',500,500,'/home/samba','/bin/

sh',0,0.0,10000000.0);
INSERT INTO users VALUES ('user2','123456',500,500,'/home/samba','/bin/

bash',1,0.0,10000000.0);
INSERT INTO users VALUES ('user1','123456',NULL,NULL,'/u01',NULL,1,0.0,10000000.0);
创建数据库与表
[mysql@linux mysql]$ echo "create database ftpusers" | mysql -uroot -pchen
[mysql@linux mysql]$ mysql -uroot -pchen ftpusers < ftpusers.sql
[mysql@linux mysql]$

再次启动ProFTPD
这次使用MySQL用户登录Ftp Server
显示230 User xxxxx logged in. ＭySQL认证成功
Proftpd + OpenLDAP
tar xvzf proftpd-version.tar.gz
cd proftpd-version
./configure --prefix=/usr/local/proftpd --with-modules=mod_ldap
make
make install
# tar zxvf mod_ldap-2.8.10.tar.gz
将mod_ldap-2.8.10目录下的posixAccount-objectclass和posixGroup-objectclass
复制到OpenLDAP 的schema目录下：
# cp mod_ldap-2.8.10/posix* /etc/openldap/schema/
# vi /etc/openldap/slapd.conf
修改OpenLDAP的配置文件slapd.conf，将这两个文件包含到该文件中：
include /etc/openldap/schema/posixAccount-objectclass
include /etc/openldap/schema/posixGroup-objectclass
重新启动OpenLDAP：
# service ldap restart
Stopping slapd: [ OK ]

Starting slapd: [ OK ]
编辑proftpd.conf文件
vi /usr/local/proftpd/etc/proftpd.conf
添加下面几行参数
<Global>
LDAPServer localhost
LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass
LDAPDoAuth on "dc=users,dc=horde,dc=net"
</Global>
格式说明：
LDAPServer OpenLDAP服务器
LDAPDNInfo cn=你的-dn,dc=区域名,dc=区域名 dn密码
LDAPDoAuth on "dc=区域名,dc=区域名"
例子：
<Global>
LDAPDNInfo cn=manager,dc=xuser,dc=net secret
LDAPDoAuth on dc=xuser,dc=net
</Global>
根据自己需要修改mod_ldap-2.8.10目录中的group-ldif和user-ldif文件，并将条目添加到OpenLDAP中：
# ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f group-ldif
# ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f user-ldif
显示：adding new entry "cn=mygroup, dc=xuser, dc=net" 添加成功

使用ldapsearch查看记录
# ldapsearch -x -b "dc=xuser,dc=net"
启动ProFTPD：
使用OpenLDAP用户登录Ftp Server
显示230 User xxxxx logged in. OpenLDAP认证成功
例：
[root@linux mod_ldap-2.8.10]# cat group-ldif
dn: cn=mygroup, dc=xuser, dc=net
objectclass: posixGroup
cn: mygroup
gidNumber: 100
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: ftpusersb
memberUid: usera
memberUid: jwm
memberUid: 100
[root@linux mod_ldap-2.8.10]# cat user-ldif
dn: uid=jwm, dc=xuser, dc=net
objectclass: posixAccount
cn: John Morrissey

uid: jwm
uidNumber: 2000
gidNumber: 100
homeDirectory: /home/chen
userPassword: {crypt}*
dn: uid=chen, dc=xuser, dc=net
cn: chen
uid: chen
uidNumber: 2000
gidNumber: 100
userPassword: {crypt}sa7XjjlytXZZ2
dn: cn=ftpuser1, dc=xuser, dc=net
cn: ftpuser1
uid: ftpuser1
uidNumber: 2000
gidNumber: 100
userPassword: {crypt}sa7XjjlytXZZ2

dn: uid=usera, dc=xuser, dc=net
cn: usera
uid: usera
uidNumber: 2000
gidNumber: 100
homeDirectory: /tmp
userPassword:{crypt}sa7XjjlytXZZ2
dn: uid=ftpuserb, dc=xuser, dc=net
cn: ftpuserb
uid: ftpuserb
uidNumber: 2000
gidNumber: 100
homeDirectory: /tmp
userPassword:{crypt}O2BooHEK9JI06
上面的用户密码是用crypt方式加密的密码，密码产生请看
使用PHP产生：
# cat des.php
<html>
<p>DES 密碼產生器</p>
<form method=post action=des.php>
<p>password:<input name=passwd type=text size=20></p>

<input type=submit value=submit>
</form>
<?
$enpw=crypt($passwd);
echo "password is: $enpw";
?>
使用perl产生：
perl -e 'print("userPassword: ".crypt("secret","salt")."\n");'
产生的DES密码，同样也可以用于OpenLDAP的管理员密码
# vi /etc/openldap/slapd.conf
rootpw {crypt}ijFYNcSNctBYg
四、标准的配置文件
MySQL认证配置实例
[root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# We put our mod_sql directives in a <Global> block so they'll be

# inherited by the <Anonymous> block below, and any other <VirtualHost>
# blocks we may want to add. For a simple server these don't need to
# be in a <Global> block but it won't hurt anything.
<Global>
SQLConnectInfo ftpusers@localhost:3306 root chen
SQLAuthTypes Plaintext
SQLUserInfo users userid passwd uid gid homedir NULL
RequireValidShell off
SQLAuthenticate users groups usersetfast groupsetfast
</Global>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the normal user and group permissions for the server.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>

# A basic anonymous configuration, no upload directories. If you
# don't want to support anonymous access, simply remove this
# <Anonymous ..> ... </Anonymous> block.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
OpenLDAP认证配置实例
[root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
<Global>
LDAPDoAuth on dc=xuser,dc=net
LDAPDNInfo cn=manager,dc=xuser,dc=net secret
</Global>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins

MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
# Include /usr/local/etc/mod_ldap.conf
OpenLDAP 配置文件
[root@linux root]# cat /etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt

Exp $
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
include /etc/openldap/schema/chen
include /etc/openldap/schema/posixAccount-objectclass
include /etc/openldap/schema/posixGroup-objectclass
#include /etc/openldap/schema/qmail_schema
#include /etc/openldap/slapd.info.oc.conf
#include /etc/openldap/slapd.account.oc.conf
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la

# moduleload back_shell.la
# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
#TLSCertificateFile /usr/share/ssl/certs/slapd.pem
#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=xuser,dc=net"
rootdn "cn=Manager,dc=xuser,dc=net"
#rootdn "cn=Manager,dc=my-domain,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
五、 FAQ
Q：在本地ftp localhost输入用户名、密码回车后。等很久才进入FTP Server
A：ftp 127.0.0.1
Q：在远程服务器上ftp ip输入用户名、密码回车后。等很久才进入FTP Server
A：LDAPServer localhost 改为 LDAPServer 127.0.0.1
Q：[root@linux mod_ldap-2.8.10]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
500 FTP server shut down (going down at Tue Dec 17 19:00:00 2002) -- please try
again later.
ftp>
A：rm –rf /etc/shutmsg
Q：登录Ftp Server 提示
530 Login incorrect.
Login failed.
我确认输入的用户、密码决对正确
A：在登录ProFTPD时加参数proftpd –d5 –n会输出调试信息。你可以在其中
找到答案。如果在调试信息中找到这一行no such user 'xxxx'

可能是与MySQL/OpenLDAP连接有问题。

Q：我在网上看见很多介绍如何安装ProFTPD文章,阅读大量的How to，按How to一步一步做，从来没有安装成功

过。
A：网上很多文章，比较老，很多定义现以不在使用如：
SQLConnectInfo laftp@localhost 用户名口令
SQLAuthTypes Plaintext Backend
SQLAuthoritative ON
SQLDefaultGID 1001
SQLDefaultUID 1001
SQLDoAuth ON
SQLDoGroupAuth ON
SQLGidField gid
SQLGroupGIDField gid
SQLGroupMembersField members
SQLGroupTable ftpgroup
SQLGroupnameField groupname
SQLHomedirField homedir
SQLMinUserUID 400
SQLMinUserGID 400
SQLPasswordField passwd
SQLUidField uid
SQLUserTable ftpuser
SQLUsernameField userid
SQLLoginCountField count
########################################################
LDAPServer "localhost"
LDAPPrefix "dc=horde,dc=net"
LDAPDN "cn=thedn,dc=horde,dc=net"

LDAPDNPass "ldap_dnpass"
LDAPNegativeCache on

vsftpd - The Very Secure FTP Daemon 起始页 Pure-FTPd + LDAP + MySQL + PGSQL +
Virtual-Users + Quota


Pure-FTPd + LDAP + MySQL + PGSQL + Virtual-Users +

Quota
参考 http://netkiller.8800.org/article/ftpserver/pureftpd/pureftpd.html

ProFTPD + MySQL / OpenLDAP 用户第 35 章 Samba
起始页
认证
第 35 章 Samba
第 35 章 Samba
上一页下一页
Restore
第 35 章 Samba
目录
install
smb.conf
by Example
share
user
test
显示共享目录
访问共享资源
用户登录
FAQ
install
环境 ubuntu 8.10
$ sudo apt-get install samba
查看Samba 服务器的端口
neo@shenzhen:~$ sudo netstat -tlnp |grep smb

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 4480/
smbd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 4480/
smbd
neo@shenzhen:~$
防火墙

第 35 章 Samba
neo@shenzhen:~$ iptables -L
iptables -L

Pure-FTPd + LDAP + MySQL + PGSQL + 起始页 smb.conf
Virtual-Users + Quota

smb.conf
smb.conf
上一页第 35 章 Samba 下一页
smb.conf
security = share|user 共享|用户模式
comment = 描述
valid users = '%S'登录用户，'neo'允许neo访问
read only = 'No'读写模式，'Yes'只读模式
browseable = 'No'不显示, 'Yes'显示
[global]
interfaces = lo, eth0
bind interfaces only = true

第 35 章 Samba 起始页 by Example
by Example
by Example
by Example
Backup the /etc/samba/smb.conf file:
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.original
share
security = share
[tmp]
comment = test
writable = yes
locking = yes
path = /tmp
public = yes
[neo]
comment = neo
writable = yes
locking = yes
path = /home/neo/
public = yes
[htdocs]
comment = neo
writable = yes
locking = yes
path = /opt/lampp/htdocs
public = yes
user
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.original

by Example
security = user
add user
sudo useradd -s /bin/true neo

sudo smbpasswd -L -a neo
enable
sudo smbpasswd -L -e neo
del user
sudo smbpasswd -L -x neo
test
测试配置文件是否正确
$ testparm
查看共享目录
$ smbclient -L localhost -N
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.3.2]
Sharename Type Comment

--------- ---- -------
print$ Disk Printer Drivers
developer Disk Development
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))

by Example
Server Comment
--------- -------
PRINTSERVER
UBUNTU ubuntu server (Samba, Ubuntu)
Workgroup Master
--------- -------
WORKGROUP PRINTSERVER
Windows 访问测试
C:\>net view \\192.168.3.40

在 \\192.168.3.40 的共享资源
ubuntu server (Samba, Ubuntu)
共享名类型使用为注释
----------------------------------------------------------
developer Disk Development
命令运行完毕，但发生一个或多个错误。

smb.conf 起始页 nmblookup - NetBIOS over TCP/IP client
used to lookup NetBIOS names


nmblookup - NetBIOS over TCP/IP client used to lookup

NetBIOS names
$ nmblookup -A 172.16.0.5
Looking up status of 172.16.0.5
USER <00> - B <ACTIVE>
WORKGROUP <00> - <GROUP> B <ACTIVE>
USER <20> - B <ACTIVE>
WORKGROUP <1e> - <GROUP> B <ACTIVE>
WORKGROUP <1d> - B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
MAC Address = 00-25-64-A7-18-97

by Example 起始页 smbfs/smbmount/smbumount
sudo apt-get install smbfs
smbmount
$ sudo mkdir /mnt/winfs

$ sudo smbmount //172.16.0.92/tmp /mnt/winfs
$ ls /mnt/winfs/
使用neo帐号登录
$ sudo smbmount //172.16.0.92/tmp /mnt/winfs -o

username=neo
mount
$ mount -t smbfs -o username=jwhittal \\\\172.16.1.3\\c$ /mnt/thumb

nmblookup - NetBIOS over TCP/IP smbclient - ftp-like client to access
client used to lookup NetBIOS 起始页 SMB/CIFS resources on servers
names

$ sudo apt-get install smbclient
显示共享目录
$ smbclient -L 172.16.1.3
neo@netkiller:~$ smbclient -L 172.16.0.1

Enter neo's password:
Sharename Type Comment

--------- ---- -------
IPC$ IPC IPC Service (netkiller server (Samba, Ubuntu))
www Disk www diretcory
print$ Disk Printer Drivers
neo Disk Home Directories
Server Comment
--------- -------
DEBIAN debian server
NETKILLER netkiller server (Samba, Ubuntu)
Workgroup Master
--------- -------
WORKGROUP DEBIAN
访问共享资源
访问developer共享目录
$ smbclient //localhost/developer

Server not using user level security and no password supplied.
smb: \> ls

. D 0 Thu Oct 29 02:05:37 2009

.. D 0 Thu Oct 22 05:27:16 2009
ofcard.php 1104 Tue Oct 27 02:00:49 2009
index.html 580 Thu Oct 29 02:05:37 2009
webapps D 0 Wed Oct 28 06:04:08 2009
ecmall D 0 Thu Oct 22 00:00:12 2009
doc D 0 Wed Oct 28 06:04:09 2009
supersite D 0 Thu Oct 22 03:35:08 2009
empire D 0 Thu Oct 22 02:56:12 2009
discuz D 0 Wed Oct 21 22:04:29 2009
resin-data D 0 Wed Oct 28 06:21:02 2009
phpMyAdmin D 0 Sat Oct 24 09:02:29 2009
empirecms6 D 0 Thu Oct 22 04:12:44 2009
ecshop D 0 Wed Oct 21 21:56:40 2009
watchdog-data D 0 Wed Oct 28 06:07:19 2009
ucenter D 0 Wed Oct 21 22:41:58 2009
ecshop.old D 0 Fri Oct 23 11:35:39 2009
magento D 0 Tue Oct 6 19:19:54 2009
weberp D 0 Fri Oct 23 05:21:33 2009
61335 blocks of size 131072. 41655 blocks available

smb: \>
用户登录
使用用户Neo登录
$ smbclient //localhost/developer -U neo

Domain=[UBUNTU] OS=[Unix] Server=[Samba 3.3.2]
smb: \> ls
. D 0 Thu Oct 29 03:13:31 2009
.. D 0 Thu Oct 22 05:27:16 2009
ofcard.php 1104 Tue Oct 27 02:00:49 2009
index.html 676 Thu Oct 29 03:13:31 2009
webapps D 0 Wed Oct 28 06:04:08 2009
ecmall D 0 Thu Oct 22 00:00:12 2009
doc D 0 Wed Oct 28 06:04:09 2009
supersite D 0 Thu Oct 22 03:35:08 2009
empire D 0 Thu Oct 22 02:56:12 2009
discuz D 0 Wed Oct 21 22:04:29 2009
resin-data D 0 Wed Oct 28 06:21:02 2009
phpMyAdmin D 0 Sat Oct 24 09:02:29 2009
empirecms6 D 0 Thu Oct 22 04:12:44 2009
ecshop D 0 Wed Oct 21 21:56:40 2009
watchdog-data D 0 Wed Oct 28 06:07:19 2009
ucenter D 0 Wed Oct 21 22:41:58 2009

ecshop.old D 0 Fri Oct 23 11:35:39 2009

magento D 0 Tue Oct 6 19:19:54 2009
weberp D 0 Fri Oct 23 05:21:33 2009
61335 blocks of size 131072. 41654 blocks available

smb: \> quit

smbfs/smbmount/smbumount 起始页 smbtar - shell script for backing up SMB/
CIFS shares directly to UNIX tape drives

smbtar - shell script for backing up SMB/CIFS shares

directly to UNIX tape drives

smbclient - ftp-like client to access 起始页 FAQ
SMB/CIFS resources on servers
FAQ
FAQ
FAQ
'/www' does not exist or permission denied when connecting to [www] Error was
Permission denied
[2010/05/17 17:26:08, 0] smbd/service.c:make_connection_snum(1013)
Permission denied
Permission denied
Permission denied
Permission denied
Permission denied
Permission denied
Permission denied
关闭 SELinux

smbtar - shell script for backing up SMB/ 起始页第 36 章 File Synchronize
CIFS shares directly to UNIX tape drives
第 36 章 File Synchronize
上一页部分 IV. File Transfer, Synchronize, Storage And Backup/Restore 下一页
目录

install with source
upload
download
mirror
rsync examples
rsync for windows
tsync
local
remote
config
server
node
test

rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the
GNU General Public License version 2 and is currently being maintained by Wayne Davison.
install with source
过程 36.1. rsync
1. 安装rsync
在AS3 第二张CD上找到rsync-2.5.6-20.i386.rpm
[root@linuxas3 root]# cd /mnt

[root@linuxas3 mnt]# mount cdrom
[root@linuxas3 mnt]# cd cdrom/RedHat/RPMS
[root@linuxas3 RPMS]# rpm -ivh rsync-2.5.6-20.i386.rpm
2. 配置/etc/rsyncd.conf
在rh9,as3系统上rsync安装后,并没有创建rsyncd.conf文档，要自己创建rsyncd.conf文档
[root@linuxas3 root]# vi /etc/rsyncd.conf

uid=nobody
gid=nobody
max connections=5
use chroot=no
log file=/var/log/rsyncd.log
pid file=/var/run/rsyncd.pid
lock file=/var/run/rsyncd.lock
#auth users=root
secrets file=/etc/rsyncd.passwd
[postfix]
path=/var/mail
comment = backup mail
ignore errors
read only = yes
list = no
auth users = postfix
[netkiller]
path=/home/netkiller/web
comment = backup 9812.net
ignore errors
read only = yes
list = no
auth users = netkiller
[pgsqldb]
path=/var/lib/pgsql
comment = backup postgresql database
ignore errors
read only = yes
list = no
a. 选项说明
uid = nobody
gid = nobody
use chroot = no # 不使用chroot
max connections = 4 # 最大连接数为4
pid file = /var/run/rsyncd.pid #进程ID文件
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log # 日志记录文件
secrets file = /etc/rsyncd.pwd # 认证文件名,主要保存用户密码，权限建议设为600，所有者root
[module] # 这里是认证的模块名，在client端需要指定
path = /var/mail # 需要做镜像的目录
comment = backup xxxx # 注释
ignore errors # 可以忽略一些无关的IO错误
read only = yes # 只读
list = no # 不允许列文件
auth users = postfix # 认证的用户名，如果没有这行，则表明是匿名
[other]
path = /path/to...
comment = xxxxx

b. 密码文件
在server端生成一个密码文件/etc/rsyncd.pwd
[root@linuxas3 root]# echo postfix:xxx >>/etc/rsyncd.pwd

[root@linuxas3 root]# echo netkiller:xxx >>/etc/rsyncd.pwd
[root@linuxas3 root]# chmod 600 /etc/rsyncd.pwd
c. 启动rsync daemon
[root@linuxas3 root]# rsync --daemon
3. 添加到启动文件
echo　"rsync　--daemon"　>>　/etc/rc.d/rc.
local [ OK ]
cat /etc/rc.d/rc.local 确认一下

4. 测试
[root@linux docbook]# rsync rsync://netkiller.8800.org/netkiller

[root@linux tmp]# rsync rsync://netkiller@netkiller.8800.org/netkiller
Password:
[chen@linux temp]$ rsync -vzrtopg --progress --delete postfix@netkiller.8800.

org::postfix /tmp
Password:
过程 36.2. installation setp by setp
1. installation
$ sudo apt-get install rsync
2. enable
$ sudo vim /etc/default/rsync
RSYNC_ENABLE=true
3. config /etc/rsyncd.conf
$ sudo vim /etc/rsyncd.conf

uid=nobody
gid=nobody
max connections=5
use chroot=no
pid file=/var/run/rsyncd.pid
lock file=/var/run/rsyncd.lock
log file=/var/log/rsyncd.log
#auth users=root
secrets file=/etc/rsyncd.secrets
[neo]
path=/home/neo/www
comment = backup neo
ignore errors
read only = yes
list = no
auth users = neo
[netkiller]
path=/home/netkiller/public_html
comment = backup netkiller
ignore errors
read only = yes
list = no
auth users = netkiller
[mirror]
path=/var/www/netkiller.8800.org/html/
comment = mirror netkiller.8800.org
exclude = .svn
ignore errors
read only = yes
list = yes
[music]
path=/var/music
comment = backup music database
ignore errors
read only = yes
list = no
[pgsqldb]
path=/var/lib/pgsql
comment = backup postgresql database
ignore errors
read only = yes
list = no
auth users = neo,netkiller
4. /etc/rsyncd.secrets
$ sudo vim /etc/rsyncd.secrets
neo:123456
netkiller:123456
$ sudo chmod 600 /etc/rsyncd.secrets

5. start
$ sudo /etc/init.d/rsync start
6. test
$ rsync -vzrtopg --progress --delete neo@localhost::neo /tmp/test1/

$ rsync -vzrtopg --progress --delete localhost::music /tmp/test2/
firewall
$ sudo ufw allow rsync
upload
$ rsync -v -u -a --delete --rsh=ssh --stats localfile username@hostname:/

home/username/
for example:
I want to copy local workspace of eclipse directory to another computer.
$ rsync -v -u -a --delete --rsh=ssh --stats workspace neo@192.168.245.131:/

home/neo/
download
$ rsync -v -u -a --delete --rsh=ssh --stats neo@192.168.245.131:/home/neo/

* /tmp/
mirror
rsync使用方法
rsync rsync://认证用户@主机/模块
rsync -vzrtopg --progress --delete 认证用户@主机::模块 /mirror目录
1. transfer file from src to dest directory

neo@netkiller:/tmp$ mkdir rsync

neo@netkiller:/tmp$ cd rsync/
neo@netkiller:/tmp/rsync$ ls
neo@netkiller:/tmp/rsync$ mkdir src dest
neo@netkiller:/tmp/rsync$ echo file1 > src/file1
2. skipping directory
neo@netkiller:/tmp/rsync$ mkdir src/dir1

neo@netkiller:/tmp/rsync$ mkdir src/dir2
neo@netkiller:/tmp/rsync$ rsync src/* dest/
skipping directory src/dir1
skipping directory src/dir2
3. recurse into directories
neo@netkiller:/tmp/rsync$ rsync -r src/* dest/

neo@netkiller:/tmp/rsync$ ls dest/
dir1 dir2 file1 file2 file3
4. backup
neo@netkiller:/tmp/rsync$ rsync -r --backup --suffix=.2008-11-21 src/* dest/

dir1 dir2 file1 file1.2008-11-21 file2 file2.2008-11-21 file3 file3.2008-11-21
neo@netkiller:/tmp/rsync$
backup-dir
neo@netkiller:/tmp/rsync$ rsync -r --backup --suffix=.2008-11-21 --backup-

dir mybackup src/* dest/
dir1 dir2 file1 file1.2008-11-21 file2 file2.2008-11-21 file3 file3.2008-
11-21 mybackup
neo@netkiller:/tmp/rsync$ ls dest/mybackup/
file1.2008-11-21 file2.2008-11-21 file3.2008-11-21
rsync -r --backup --suffix=.2008-11-21 --backup-dir ../mybackup src/* dest/

neo@netkiller:/tmp/rsync$ ls
dest mybackup src
neo@netkiller:/tmp/rsync$ ls src/
5. update
neo@netkiller:/tmp/rsync$ rm -rf dest/*

neo@netkiller:/tmp/rsync$ rsync -r -u src/* dest/

neo@netkiller:/tmp/rsync$ echo netkiller>>src/file2
neo@netkiller:/tmp/rsync$ rsync -v -r -u src/* dest/
building file list ... done
file2
sent 166 bytes received 42 bytes 416.00 bytes/sec

total size is 38 speedup is 0.18
update by time and size
neo@netkiller:/tmp/rsync$ echo Hi>src/dir1/file1.1

neo@netkiller:/tmp/rsync$ rsync -v -r -u src/* dest/
building file list ... done
dir1/file1.1

6. --archive
rsync -a src/ dest/
7. --compress
rsync -a -z src/ dest/
8. --delete
src
svn@netkiller:~$ ls src/
dest
neo@netkiller:~$ rsync -v -u -a --delete -e ssh svnroot@127.0.0.1:/home/svnroot/

src /tmp/dest
svnroot@127.0.0.1's password:
receiving file list ... done
created directory /tmp/dest
src/
src/file1
src/file2
src/file3
src/dir1/
src/dir2/


src
svn@netkiller:~$ rm -rf src/file2

svn@netkiller:~$ rm -rf src/dir2
dest
neo@netkiller:~$ rsync -v -u -a --delete -e ssh svnroot@127.0.0.1:/home/svnroot/

src /tmp/dest
svnroot@127.0.0.1's password:
receiving file list ... done
deleting src/dir2/
deleting src/file2
src/

rsync examples
http://samba.anu.edu.au/rsync/examples.html
例 36.1. examples
backup to a central backup server with 7 day incremental
例 36.2. backup to a central backup server with 7 day incremental
#!/bin/sh
# This script does personal backups to a rsync backup server. You will end up
# with a 7 day rotating incremental backup. The incrementals will go
# into subdirectories named after the day of the week, and the current
# full backup goes into a directory called "current"
# tridge@linuxcare.com
# directory to backup
BDIR=/home/$USER
# excludes file - this contains a wildcard pattern per line of files to exclude
EXCLUDES=$HOME/cron/excludes
# the name of the backup machine

BSERVER=owl
# your password on the backup server

export RSYNC_PASSWORD=XXXXXX

########################################################################
BACKUPDIR=`date +%A`
OPTS="--force --ignore-errors --delete-excluded --exclude-from=$EXCLUDES
--delete --backup --backup-dir=/$BACKUPDIR -a"
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin
# the following line clears the last weeks incremental directory

[ -d $HOME/emptydir ] || mkdir $HOME/emptydir
rsync --delete -a $HOME/emptydir/ $BSERVER::$USER/$BACKUPDIR/
rmdir $HOME/emptydir
# now the actual transfer

rsync $OPTS $BDIR $BSERVER::$USER/current
backup to a spare disk
例 36.3. backup to a spare disk
I do local backups on several of my machines using rsync. I have an

extra disk installed that can hold all the contents of the main
disk. I then have a nightly cron job that backs up the main disk to
the backup. This is the script I use on one of those machines.
#!/bin/sh
export PATH=/usr/local/bin:/usr/bin:/bin
LIST="rootfs usr data data2"
for d in $LIST; do
mount /backup/$d
rsync -ax --exclude fstab --delete /$d/ /backup/$d/
umount /backup/$d
done
DAY=`date "+%A"`
rsync -a --delete /usr/local/apache /data2/backups/$DAY

rsync -a --delete /data/solid /data2/backups/$DAY
The first part does the backup on the spare disk. The second part
backs up the critical parts to daily directories. I also backup the
critical parts using a rsync over ssh to a
remote machine.
mirroring vger CVS tree

例 36.4. mirroring vger CVS tree
The vger.rutgers.edu cvs tree is mirrored onto cvs.samba.org via

anonymous rsync using the following script.
#!/bin/bash
cd /var/www/cvs/vger/
PATH=/usr/local/bin:/usr/freeware/bin:/usr/bin:/bin
RUN=`lps x | grep rsync | grep -v grep | wc -l`

if [ "$RUN" -gt 0 ]; then
echo already running
exit 1
fi
rsync -az vger.rutgers.edu::cvs/CVSROOT/ChangeLog $HOME/ChangeLog
sum1=`sum $HOME/ChangeLog`
sum2=`sum /var/www/cvs/vger/CVSROOT/ChangeLog`
if [ "$sum1" = "$sum2" ]; then

echo nothing to do
exit 0
fi
rsync -az --delete --force vger.rutgers.edu::cvs/ /var/www/cvs/vger/

exit 0
Note in particular the initial rsync of the ChangeLog to determine if

anything has changed. This could be omitted but it would mean that the
rsyncd on vger would have to build a complete listing of the cvs area
at each run. As most of the time nothing will have changed I wanted to
save the time on vger by only doing a full rsync if the ChangeLog has
changed. This helped quite a lot because vger is low on memory and
generally quite heavily loaded, so doing a listing on such a large
tree every hour would have been excessive.
automated backup at home
例 36.5. automated backup at home
I use rsync to backup my wifes home directory across a modem link each
night. The cron job looks like this
#!/bin/sh
cd ~susan
{
echo
date
dest=~/backup/`date +%A`
mkdir $dest.new
find . -xdev -type f $ -mtime 0 -or -mtime 1 $ -exec cp -aPv "{}"
$dest.new \;

cnt=`find $dest.new -type f | wc -l`

if [ $cnt -gt 0 ]; then
rm -rf $dest
mv $dest.new $dest
fi
rm -rf $dest.new
rsync -Cavze ssh . samba:backup
} >> ~/backup/backup.log 2>&1
note that most of this script isn't anything to do with rsync, it just
creates a daily backup of Susans work in a ~susan/backup/ directory so
she can retrieve any version from the last week. The last line does
the rsync of her directory across the modem link to the host
samba. Note that I am using the -C option which allows me to add
entries to .cvsignore for stuff that doesn't need to be
backed up.
Fancy footwork with remote file lists
例 36.6. Fancy footwork with remote file lists
One little known feature of rsync is the fact that when run over a
remote shell (such as rsh or ssh) you can give any shell command as
the remote file list. The shell command is expanded by your remote
shell before rsync is called. For example, see if you can work out
what this does:
rsync -avR remote:'`find /home -name "*.[ch]"`' /tmp/
note that that is backquotes enclosed by quotes (some browsers don't

show that correctly).
rsync for windows
http://www.rsync.net/resources/howto/windows_rsync.html

FAQ 起始页 tsync

tsync
tsync
上一页第 36 章 File Synchronize 下一页
tsync
homepage: http://tsyncd.sourceforge.net/

第 36 章 File Synchronize 起始页 Unison File Synchronizer


If you are looking for a tool to sync your laptop with your workstation, you better have a look
at Unison.
homepage: http://www.cis.upenn.edu/~bcpierce/unison/
installation
$ sudo apt-get install unison
local
dir to dir
unison dir1 dir2
remote
ssh
unison dir1 ssh://username@remotehostname(ip)//absolute/path/to/

dir2
socket
target host
# unison -socket NNNN

source host
# unison dir1 socket://remotehost(ip):port//absolute/path/to/

dir2
config
create a config file under '.unison' directory.
vim ~/.unison/config.prf
root = /var/www
root = ssh://netkiller@netkiller.8800.org//var/www
force = /var/www
ignore = Path templates_compiled
ignore = Name tmp/*.pdf
auto = true
log = true
logfile = /home/netkiller/.unison/netkiller.8800.org.log

tsync 起始页 csync2 - cluster synchronization tool



homepage: http://oss.linbit.com/
server
过程 36.3. Install and setup csync2 on Ubuntu
1. installation
$ sudo apt-get install csync2 sqlite3 openssl xinetd
The following line will be added to your /etc/inetd.conf file:
$ cat /etc/inetd.conf
csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -
i
If you are indeed using xinetd, you will have to convert the above into /etc/xinetd.conf format, and add it
manually.
service csync2
{
disable = no
protocol = tcp
socket_type = stream
wait = no
user = root
server = /usr/sbin/csync2
server_args = -i
}
/etc/services
$ cat /etc/services |grep csync2

csync2 30865/tcp # cluster synchronization tool
2. create a self-signed SSL certificate for csync2

sudo openssl genrsa -out /etc/csync2_ssl_key.pem 1024

sudo openssl req -new -key /etc/csync2_ssl_key.pem -out /etc/csync2_ssl_cert.csr
sudo openssl x509 -req -days 600 -in /etc/csync2_ssl_cert.csr -signkey /etc/
csync2_ssl_key.pem -out /etc/csync2_ssl_cert.pem
$ sudo csync2 -k /etc/csync2_ssl_cert.key
3. After having done everything, we are now going to configure Csync2 so that we can determine which files are
going to be synchronized.
For this example, we are going to synchronize /etc/apache2 and /etc/mysql. For that we open /etc/csync2.cfg and
we configure it like this:
$ sudo vim /etc/csync2.cfg

# please see the REAMDE file how to configure csync2
group testing #group name, we can have multiple groups

{
host master; #master server
host (slave); #slave server
#host (node1);
key /etc/csync2_ssl_cert.key;
include /etc/apache2/;
include /home/neo;
backup-directory /var/backups/csync2;
backup-generations 3;
auto none; #no automatic sync
}
4. hosts
$ sudo vim /etc/hosts

192.168.245.131 slave
5. restart
$ sudo /etc/init.d/xinetd restart
node
过程 36.4. node

1. login to slave node
neo@slave:~$ sudo vim /etc/hosts

192.168.245.129 master
2. install
$ sudo apt-get install csync2 xinetd
3. copy config file from master
neo@slave:~$ sudo scp root@master:/etc/csync2* /etc/
4. restart
neo@slave:~$ sudo /etc/init.d/xinetd restart
test
过程 36.5. testing
1. master
neo@master:/etc/apache2$ sudo touch test.master

neo@master:/etc/apache2$ sudo csync2 -x
2. node
neo@slave:/etc/apache2$ ls test.master -l
-rw-r--r-- 1 root root 0 2008-10-31 06:37 test.master
例 36.7. /etc/csync2.cfg
$ sudo cat /etc/csync2.cfg
# please see the REAMDE file how to configure csync2

# group name, we can have multiple groups

group www {
host master;
host (slave);
key /etc/csync2_ssl_cert.key;
include /etc/apache2/;
include /etc/csync2.cfg;
include /var/www;
include %homedir%/neo;
exclude %homedir%/neo/temp;
exclude *~ .*;
action
{
pattern /etc/apache2/httpd.conf;
pattern /etc/apache2/sites-available/*;
exec "/usr/sbin/apache2ctl graceful";
logfile "/var/log/csync2_action.log";
do-local;
}
backup-directory /var/backups/csync2;
backup-generations 3;
auto none;
}
prefix homedir
{
on *: /home;
}

Unison File Synchronizer 起始页第 37 章 Network Storage - Openfiler

第 37 章 Network Storage - Openfiler

上一页部分 IV. File Transfer, Synchronize, Storage And Backup/Restore 下一页

目录
Accounts
Volumes
RAID
iSCSI
Quota
Shares
Openfiler is a powerful, intuitive browser-based network storage software distribution. Openfiler delivers file-
based Network Attached Storage and block-based Storage Area Networking in a single framework.
openfiler 的官方网站
过程 37.1. Openfiler Storage Control Center
1. 登录管理界面
https://<ip address>:446/
初始帐号和密码是: openfiler/password
2. 首先要修改默认密码
Accounts->Admin Password
Current Password: password

New Password: 新密码
Confirm New Password: 确认密码
Submit 提交
Accounts
● 用户认证
openfiler.ldif
dn: ou=people,dc=bg7nyt,dc=cn

ou: people
dn: ou=Idmap,dc=bg7nyt,dc=cn
ou: Idmap
添加people组织单元
[chenjingfeng@backup ldap]$ ldapadd -x -D "cn=root,dc=bg7nyt,dc=cn" -W -f openfiler.

ldif
Enter LDAP Password:
adding new entry "ou=people,dc=bg7nyt,dc=cn"
adding new entry "ou=Idmap,dc=bg7nyt,dc=cn"
a. Accounts->Authentication
Use LDAP: 打勾
Server: ldap.bg7nyt.cn
Base DN: dc=bg7nyt,dc=cn
Root bind DN: cn=root,dc=bg7nyt,dc=cn
Root bind Password: 你的密码
b. Services->LDAP Settings
Base DN: dc=bg7nyt,dc=cn

Root bind DN: cn=root,dc=bg7nyt,dc=cn
Root Password: 你的密码

● Services->Enable/Disable
● Accounts->Account Administration
i. Group Administration
Group Name: nfs
ii. User Administration
Username: 用户名
Password: 密码
Retype password: 确认密码
Primary Group: 用户组
查看组织单元：ou=people,dc=bg7nyt,dc=cn
[chenjingfeng@backup ldap]$ ldapsearch -x -b 'ou=people,dc=bg7nyt,dc=cn'

# extended LDIF
#
# LDAPv3
# base <ou=people,dc=bg7nyt,dc=cn> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# people, bg7nyt.cn
dn: ou=people,dc=bg7nyt,dc=cn

ou: people
# neo, People, bg7nyt.cn

dn: uid=neo,ou=People,dc=bg7nyt,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
homeDirectory: /dev/null
loginShell: /bin/false
cn: neo
givenName: neo
sn: neo
uid: neo
uidNumber: 500
gidNumber: 500
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

csync2 - cluster synchronization tool 起始页 Volumes

Volumes
Volumes
上一页第 37 章 Network Storage - Openfiler 下一页
Volumes
● 卷管理 [Volumes]
我这里是使用VMware做的试验,在VMware中增加一些硬盘即可.
a. Volumes -> Physical Storage Mgmt.
Edit Disk Type Description Size Label type Partitions

/dev/sda SCSI VMware, VMware Virtual S 8.00 GB msdos 3 (view)
/dev/sdb SCSI VMware, VMware Virtual S 8.00 GB gpt 0 (view)
/dev/sdc SCSI VMware, VMware Virtual S 8.00 GB gpt 0 (view)
/dev/sdd SCSI VMware, VMware Virtual S 8.00 GB gpt 0 (view)
...
openfiler安装在/dev/sda,/dev/sda硬盘空间不用太大,单独给openfiler使用.建议做RAID 1(硬件RAID卡或服务器主版
提供的RAID)
其它硬盘是用于存储的硬盘,如果有条件这些硬盘组也最好做成硬RAID,没有条件我们可以在openfiler中做软件RAID.

Volumes
点击"Edit Disk"列表内硬盘标签,之后可以看到"Create a partition in /dev/sdb"
Mode: Primary
Partition Type: [Physical volume] / [RAID array member]
Starting cylinder: 1
Ending cylinder Size: 1044
Size: 自动产生
单击"Create"创建分区

Volumes
Back to the list of physical storage devices
如果没有特别需求,不需要创建多个分区.
Edit partitions in /dev/sdb (1044 cylinders with "gpt" label)
Device Type Number Start cyl End cyl Blocks Size Type Delete
/dev/sdb1 Linux Physical Volume (0x8e) 1 1 10 78831 76.98 MB Primary Delete
● Volumes->Volume Group Mgmt.
Volume Group 可以实现动态扩展空间,注意如果在使用中有一个成员盘损坏,你将无法恢复数据.
应急使用可以,不建议长期使用.

Volumes
Volume group name: vg0

Select physical volumes to add: 在列表前面打勾
/dev/sdb1 8.00 GB
/dev/sdc1 8.00 GB
单击"Add volume group"创建vg0
表 37.1. Volume Group Management
Volume Group Name Size Allocated Free Members Add physical storage Delete VG

Volumes
vg0 15.94 GB 0 bytes 15.94 GB View member PVs Add PVs Delete
扩展Volume Group单击[PVs Add]按钮
分区列表前面打勾
[Submit]提交
● Volumes -> Create New Volume
选择VG
创建卷

Volumes
Volume Name: 卷名
Volume Description: 描述
Required Space (MB): 配额
Filesystem type: 文件系统
单击[Create]按钮

Volumes
RAID
Openfiler提供软RAID.
1. Volumes -> Physical Storage Mgmt.

Volumes
点击"Edit Disk"列表内硬盘标签,之后可以看到"Create a partition in /dev/sdb"
单击[Create]按钮创建RAID组成员

Volumes
单击[Back to the list of physical storage devices]返回到 "Physical Storage Management"
2. Volumes -> Software RAID Mgmt.

Volumes
Select RAID array type: RAID(0,1,5,6,10)

Select chunk size: 这可以针对你的需求做优化
Select RAID devices to add: 打勾选择
单击[Add array]创建RAID

Volumes
RAID创建完成后,就可以卷组和卷
Volumes -> Volume Group Mgmt. -> Create New Volume
RAID 6 采用双校验盘最少4块硬盘
iSCSI
Volumes -> Create New Volume

Volumes
单击[Create]按钮
单击[Update]按钮
Services -> Enable/Disable -> iSCSI target 确认已经 Enable
General -> Local Networks

Volumes
Volumes -> List of Existing Volumes -> Select Volume Group
单击 iScsi 卷列表 Properties 下的 [Edit] 连接
默认是:Deny, 修为Allow
Microsoft iSCSI Software Initiator
开始菜单找到 Microsoft iSCSI Initiator 并运行
单击 Discovery 选项卡
单击 [ Add ] 按钮

Volumes
单击 [ OK ] 按钮

Volumes
单击 Targets 选项卡

Volumes
单击 [Refresh] 按钮 -> [Log On...]

Volumes
单击 [ OK ] 按钮
完成Initiator设置
我的电脑 -> 单击鼠标右键 -> 管理

Volumes
初始化硬盘

Volumes
选择硬盘
初始化完成，红色图标消失后你就可以对磁盘分区，挂载卷，格式化。
使用 iSCSI 与使用本地磁盘完全一样。
Status -> iSCSI

第 37 章 Network Storage - Openfiler 起始页 Quota

Quota
Quota
Quota
●
注意
有些文件系统不支持Quota
a. Quota -> Guest Quota
单击[Change]按钮
单击[Apply]按钮

Volumes 起始页 Shares
Shares
Shares
Shares
● Shares
单击列表内的连接.

Shares
Folder name: 输入文件夹名
单击 [Create Sub-folder] 按钮创建文件夹

Shares
Share name: 输入共享名

Share description: 描述
Override SMB share name:

Shares
单击[Change]按钮修改
组的权限制

Shares
主机访问权限配置

Quota 起始页第 38 章 Backup / Restore

第 38 章 Backup / Restore
部分 IV. File Transfer, Synchronize, Storage And
上一页下一页
Backup/Restore
目录
Simple Backup
Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, Mac and
Windows.
Simple Backup
tar
# Server
$ tar cf - win98 | nc -l -p 5555
# Backup Machine
nc server_ip/server_doman_name 5555 | tar xf -

Shares Bacula, the Open Source,
起始页 Enterprise ready, Network Backup
Tool for Linux, Unix, Mac and
Windows.
Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, Mac and Windows.
Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix,
Mac and Windows.
上一页第 38 章 Backup / Restore 下一页
Bacula, the Open Source, Enterprise ready, Network Backup

Tool for Linux, Unix, Mac and Windows.
http://www.bacula.org/

第 38 章 Backup / Restore 起始页 Amanda: Open Source Backup

上一页第 38 章 Backup / Restore 下一页

http://www.amanda.org/
Amanda is the most popular open source backup and recovery software in the world. Amanda
protects more than half a million of servers and desktops running various versions of Linux,
UNIX, BSD, Mac OS-X and Microsoft Windows operating systems worldwide.

Bacula, the Open Source, Enterprise 第 39 章 inotify
ready, Network Backup Tool for 起始页
Linux, Unix, Mac and Windows.
第 39 章 inotify
第 39 章 inotify
部分 IV. File Transfer, Synchronize, Storage And
上一页下一页
Backup/Restore
第 39 章 inotify
目录
inotify-tools
pyinotify
$ ls -ld /proc/sys/fs/inotify/*
inotify-tools
Installation
sudo apt-get install inotify-tools
inotifywait -r -m $HOME
监控登录过程
neo@master:~$ inotifywait -r -m $HOME

Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/home/neo/ OPEN .profile
/home/neo/ ACCESS .profile
/home/neo/ CLOSE_NOWRITE,CLOSE .profile
/home/neo/ OPEN .bashrc
/home/neo/ ACCESS .bashrc
/home/neo/ CLOSE_NOWRITE,CLOSE .bashrc
/home/neo/ OPEN .bash_history
/home/neo/ ACCESS .bash_history
/home/neo/ CLOSE_NOWRITE,CLOSE .bash_history
/home/neo/ OPEN .bash_history

第 39 章 inotify
/home/neo/ ACCESS .bash_history

/home/neo/ CLOSE_NOWRITE,CLOSE .bash_history
create a new file helloworld.txt
/home/neo/ CREATE helloworld.txt

/home/neo/ OPEN helloworld.txt
/home/neo/ MODIFY helloworld.txt
/home/neo/ CLOSE_WRITE,CLOSE helloworld.txt
cat a file using cat helloworld.txt
/home/neo/ OPEN,ISDIR
/home/neo/ CLOSE_NOWRITE,CLOSE,ISDIR
/home/neo/ OPEN helloworld.txt
/home/neo/ ACCESS helloworld.txt
/home/neo/ CLOSE_NOWRITE,CLOSE helloworld.txt
delete a file helloworld.txt
/home/neo/ DELETE helloworld.txt

Amanda: Open Source Backup 起始页 Incron - cron-like daemon which
handles filesystem events


上一页第 39 章 inotify 下一页

第 39 章 inotify 起始页 inotify-tools + rsync
1. -m 是保持一直监听
2. -r 是递归查看目录
3. -q 是打印出事件～
4. -e create,move,delete,modify 监听创建移动删除写入事件
inotifywait -mrq --event create,delete,modify,move --format '%w %e' /your_path |

while read w e; do
if [ "$e" = "IGNORED" ]; then
continue
fi
rsync -az --delete $w username@your_ip:$w
done
#!/bin/sh
# A slightly complex but actually useful example
inotifywait -mrq --timefmt '%d/%m/%y %H:%M' --format '%T %f' \
-e close_write /home/billy | while read date time file; do
rsync /home/billy/${file} rsync://billy@example.com/backup/${file} && \
echo "At ${time} on ${date}, file ${file} was backed up via rsync"
done
[root@development ~]# cat inotify-rsync

#!/bin/bash
# $Id$ #
# Author neo<openunix@163.com> #
# monitor path
monitor_path=cms
#inotifywait path
INOTIFYWAIT=inotifywait
# rsync image file

function images {
local file=$1

rsync -az --delete $file /tmp/images/$file

# rsync ${file} ${rsync_url}/${file}
}
# rsync html file

function html {
local file=$1
rsync -az --delete $file /tmp/$file
}
$INOTIFYWAIT -mrq --event close_write --format '%w%f %e' $monitor_path | while read
file event; do
if [ "$event" = "CLOSE_WRITE,CLOSE" ]; then
ext=$(echo $file | awk -F'.' '{print $2}')
if [ $ext = 'jpg' ]; then
images $file
fi
if [ $ext = 'html' ]; then
html $file
fi
fi
done &

Incron - cron-like daemon which handles 起始页 pyinotify
filesystem events

pyinotify
pyinotify
pyinotify
[root@development ~]# easy_install pyinotify

[root@development ~]# yum install gcc
[root@development ctypes-1.0.2]# python setup.py install

inotify-tools + rsync 起始页第 40 章 Distributed Filesystem
第 40 章 Distributed Filesystem
上一页下一页
Restore
目录

disk and partition
Installation
configure
Starting
Using
Coda
GlusterFS
MogileFS
Lustre
Hadoop - HDFS

Homepage: http://www.drbd.org/

实验环境需要两台电脑，如果你没有，建议你使用VMware，并且为每一个虚拟机添加两块硬盘。
实验环境
1. master: 192.168.0.1 DRBD:/dev/sdb

2. slave: 192.168.0.2 DRBD:/dev/sdb
disk and partition
Each of the following steps must be completed on both nodes
show all of disk and partition
neo@master:~$ sudo sfdisk -s

/dev/sda: 8388608
/dev/sdb: 2097152
total: 10485760 blocks
create a new partition on the disk /dev/sdb
$ sudo cfdisk /dev/sdb
you must have extended partition
check partition

neo@master:~$ sudo fdisk -l
Disk /dev/sda: 8589 MB, 8589934592 bytes

255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000301bd
Device Boot Start End Blocks Id System

/dev/sda1 * 1 993 7976241 83 Linux
/dev/sda2 994 1044 409657+ 5 Extended
/dev/sda5 994 1044 409626 82 Linux swap / Solaris
Disk /dev/sdb: 2147 MB, 2147483648 bytes

255 heads, 63 sectors/track, 261 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System

/dev/sdb1 1 261 2096451 5 Extended
/dev/sdb5 1 261 2096419+ 83 Linux
format /dev/sdb1
neo@master:~$ sudo mkfs.ext3 /dev/sdb1
you also can using other file system
reiserfs
neo@master:~$ sudo mkfs.reiserfs /dev/sdb1
I suggest you using reiserfs.
Installation
search drbd8-utils package
neo@master:~$ apt-cache search drbd

drbd8-utils - RAID 1 over tcp/ip for Linux utilities
drbd0.7-module-source - RAID 1 over tcp/ip for Linux module source
drbd0.7-utils - RAID 1 over tcp/ip for Linux utilities

drbdlinks - Manages symlinks into a shared DRBD partition
installation
neo@master:~$ sudo apt-get install drbd8-utils
to add modules from the Linux Kernel
neo@master:~$ sudo modprobe drbd

neo@master:~$ lsmod |grep drbd
drbd 213000 0
cn 9632 1 drbd
configure
backup configure file
neo@master:~$ sudo cp /etc/drbd.conf /etc/drbd.conf.old
edit /etc/drbd.conf
global {
usage-count yes;
}
common {
protocol C;
}
resource r0 {
on master {
device /dev/drbd0;
disk /dev/sdb5;
address 192.168.0.1:7789;
meta-disk internal;
}
on slave {
device /dev/drbd0;
disk /dev/sdb5;
address 10.1.1.32:7789;

meta-disk internal;
}
}
Starting
Each of the following steps must be completed on both nodes.
neo@master:~$ sudo drbdadm create-md r0

neo@master:~$ sudo drbdadm attach r0
neo@master:~$ sudo drbdadm connect r0
neo@master:~$ sudo drbdadm -- --overwrite-data-of-peer primary r0
neo@slave:~$ sudo drbdadm create-md r0

neo@slave:~$ sudo drbdadm attach r0
neo@slave:~$ sudo drbdadm connect r0
master
neo@master:~$ sudo drbdadm create-md r0

v08 Magic number not found
md_offset 2146725888
al_offset 2146693120
bm_offset 2146627584
Found some data

==> This might destroy existing data! <==
Do you want to proceed?

[need to type 'yes' to confirm] yes

Writing meta data...
initialising activity log
NOT initialized bitmap
New drbd meta data block sucessfully created.
success
slave

neo@slave:~# sudo drbdadm create-md r0

md_offset 2146725888
al_offset 2146693120
bm_offset 2146627584
Found some data

==> This might destroy existing data! <==
Do you want to proceed?

[need to type 'yes' to confirm] yes

Writing meta data...
initialising activity log
NOT initialized bitmap
New drbd meta data block sucessfully created.
success
status
neo@master:~$ cat /proc/drbd

version: 8.0.11 (api:86/proto:86)
GIT-hash: b3fe2bdfd3b9f7c2f923186883eb9e2a0d3a5b1b build by phil@mescal, 2008-02-12
11:56:43
0: cs:StandAlone st:Primary/Unknown ds:UpToDate/DUnknown r---
ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0
resync: used:0/31 hits:0 misses:0 starving:0 dirty:0 changed:0
act_log: used:0/127 hits:0 misses:0 starving:0 dirty:0 changed:0
1: cs:Connected st:Secondary/Secondary ds:Diskless/Inconsistent C r---
ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0
Using
master
neo@master:~$ sudo drbdadm primary all

neo@master:~$ sudo mkfs.reiserfs /dev/drbd0
neo@master:~$ sudo mkdir /mnt/drbd0
neo@master:~$ sudo mount /dev/drbd0 /mnt/drbd0/
neo@master:~$ sudo touch /mnt/drbd0/helloworld.tmp
neo@master:~$ df -h

Filesystem Size Used Avail Use% Mounted on

/dev/sda1 7.6G 1.3G 6.0G 18% /
varrun 125M 216K 125M 1% /var/run
varlock 125M 8.0K 125M 1% /var/lock
udev 125M 60K 125M 1% /dev
devshm 125M 0 125M 0% /dev/shm
/dev/drbd0 2.0G 33M 2.0G 2% /mnt/drbd0
neo@master:~$ sudo dd if=/dev/zero of=/mnt/drbd0/tempfile1.tmp bs=104857600 count=1
1+0 records in
1+0 records out
104857600 bytes (105 MB) copied, 0.564911 s, 186 MB/s
neo@master:~$ sudo umount /mnt/drbd0/
neo@master:~$ sudo drbdadm secondary all
slave
neo@slave:~$ sudo drbdadm primary all

neo@slave:~$ sudo mkdir /mnt/drbd0
neo@slave:~$ sudo mount /dev/drbd0 /mnt/drbd0/
neo@slave:~$ ls /mnt/drbd0/
helloworld.tmp tempfile1.tmp

pyinotify 起始页 Coda

Coda
Coda
上一页第 40 章 Distributed Filesystem 下一页
Coda

第 40 章 Distributed Filesystem 起始页 GlusterFS
GlusterFS
GlusterFS
GlusterFS
http://www.gluster.org/

Coda 起始页 MogileFS
MogileFS
MogileFS
MogileFS
http://www.danga.com/mogilefs/

GlusterFS 起始页 Lustre
Lustre
Lustre
Lustre
Lustre

MogileFS 起始页 Hadoop - HDFS
Hadoop - HDFS
Hadoop - HDFS
Hadoop - HDFS
http://hadoop.apache.org/
java
$ sudo apt-get install openjdk-6-jre-headless
$ sudo vim /etc/profile.d/java.sh

################################################
### Java environment by neo
################################################
export JRE_HOME=/usr
export PATH=$PATH:/usr/local/apache-tomcat/bin/:/usr/local/jetty-6.1.18/bin:/
usr/local/apache-nutch/bin
export CLASSPATH="./:/usr/share/java/:/usr/local/apache-solr/example/multicore/lib"
过程 40.1. Master configure
1. Download and Installing Software
$ wget http://apache.etoak.com/hadoop/core/hadoop-0.20.0/hadoop-0.20.0.tar.gz
$ tar zxvf hadoop-0.20.0.tar.gz
$ sudo cp -r hadoop-0.20.0 ..
$ sudo ln -s hadoop-0.20.0 hadoop
$ cd hadoop
2. Configuration
hadoop-env.sh
$ vim conf/hadoop-env.sh
conf/core-site.xml

Hadoop - HDFS
$ vim conf/core-site.xml
<configuration>
<property>
<name>fs.default.name</name>
<value>hdfs://localhost:9000</value>
</property>
</configuration>
conf/hdfs-site.xml
$ vim conf/hdfs-site.xml
<configuration>
<property>
<name>dfs.replication</name>
<value>1</value>
</property>
</configuration>
conf/mapred-site.xml
$ vim conf/mapred-site.xml
<configuration>
<property>
<name>mapred.job.tracker</name>
<value>localhost:9001</value>
</property>
</configuration>
3. Setup passphraseless ssh
Now check that you can ssh to the localhost without a passphrase:
$ ssh localhost
If you cannot ssh to localhost without a passphrase, execute the following commands:
$ ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

Hadoop - HDFS
4. Execution
Format a new distributed-filesystem:

$ bin/hadoop namenode -format
Start the hadoop daemons:

$ bin/start-all.sh
When you're done, stop the daemons with:

$ bin/stop-all.sh
5. Monitor
Browse the web interface for the NameNode and the JobTracker; by default they are available at:
● NameNode - http://localhost:50070/
● JobTracker - http://localhost:50030/
6. Test
$ bin/hadoop dfs -mkdir test

$ echo helloworld > testfile
$ bin/hadoop dfs -copyFromLocal testfile test/
$ bin/hadoop dfs -ls
Found 1 items
drwxr-xr-x - neo supergroup 0 2009-07-10 14:18 /user/neo/test
$ bin/hadoop dfs -ls test
$ bin/hadoop dfs –cat test/file
过程 40.2. slave config
1. SSH
$ scp neo@master:~/.ssh/id_dsa.pub .ssh/master.pub

$ cat .ssh/master.pub >> .ssh/authorized_keys
2. Hadoop
$ scp neo@master:/usr/local/hadoop /usr/local/hadoop

Hadoop - HDFS

Lustre 起始页部分 V. Monitor and Assistant

部分 V. Monitor and Assistant

上一页下一页

目录
41. System
Webmin
logwatch
nmon
nulog
42. Network
Cacti
Nagios
BIG BROTHER
Bandwidth
OpenNMS
43. Web
awstats
webalizer
44. Zenoss
45. Ganglia
上一页下一页
Hadoop - HDFS 起始页第 41 章 System
第 41 章 System
第 41 章 System
上一页部分 V. Monitor and Assistant 下一页
第 41 章 System
目录

Webmin
logwatch
nmon
nulog
# pmap -d PID
[root@development ~]# pmap -d 3817

3817: /sbin/mingetty tty3
Address Kbytes Mode Offset Device Mapping
0000000000400000 12 r-x-- 0000000000000000 008:00002 mingetty
0000000000602000 8 rw--- 0000000000002000 008:00002 mingetty
000000001b9f8000 132 rw--- 000000001b9f8000 000:00000 [ anon ]
0000003fd8200000 112 r-x-- 0000000000000000 008:00002 ld-2.5.so
0000003fd841b000 4 r---- 000000000001b000 008:00002 ld-2.5.so
0000003fd841c000 4 rw--- 000000000001c000 008:00002 ld-2.5.so
0000003fd9200000 1332 r-x-- 0000000000000000 008:00002 libc-2.5.so
0000003fd934d000 2048 ----- 000000000014d000 008:00002 libc-2.5.so
0000003fd954d000 16 r---- 000000000014d000 008:00002 libc-2.5.so
0000003fd9551000 4 rw--- 0000000000151000 008:00002 libc-2.5.so
0000003fd9552000 20 rw--- 0000003fd9552000 000:00000 [ anon ]
00002ba6fbb68000 8 rw--- 00002ba6fbb68000 000:00000 [ anon ]
00002ba6fbb7d000 8 rw--- 00002ba6fbb7d000 000:00000 [ anon ]
00007fff2ba17000 84 rw--- 00007ffffffea000 000:00000 [ stack ]
ffffffffff600000 8192 ----- 0000000000000000 000:00000 [ anon ]
mapped: 11984K writeable/private: 268K shared: 0K

第 41 章 System

部分 V. Monitor and Assistant 起始页 Webmin

Webmin
Webmin
上一页第 41 章 System 下一页
Webmin
网站
http://www.webmin.com/
过程 41.1. Webmin 安装步骤:
1. Debian Package
2. 命令:
sudo dpkg --install webmin_1.380_all.deb
sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime

libio-pty-perl libmd5-perl
Webmin install complete. You can now login to https://netkiller.8800.org:10000/ as root

with your root password, or as any user who can use sudo to run commands as root.
3. script
Usage: /etc/init.d/webmin { start | stop }

4. nmap localhost

第 41 章 System 起始页 logwatch
logwatch
logwatch
logwatch
logwatch - log analyser with nice output written in Perl
http://www.logwatch.org/
过程 41.2. logwatch 安装步骤:
1. Install
Ubuntu 7.10
netkiller@shenzhen:/etc/webmin$ apt-cache search logwatch

fwlogwatch - Firewall log analyzer
logwatch - log analyser with nice output written in Perl
apt-get install
# apt-get install logwatch
the logwatch has been installed, it should create a file in '/etc/cron.daily/00logwatch'.

2. config
$ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

logwatch.conf
$ sudo mkdir /var/cache/logwatch
$ sudo vim /etc/logwatch/conf/logwatch.conf
mail to
# Default person to mail reports to. Can be a local account or a

# complete email address.
MailTo = root, openunix@163.com, other@example.com
To change detail level for the report
# The default detail level for the report.

logwatch
# This can either be Low, Med, High or a number.

# Low = 0
# Med = 5
# High = 10
Detail = High
Crontab
netkiller@shenzhen:~$ cat /etc/cron.daily/00logwatch

#!/bin/bash
#Check if removed-but-not-purged
test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
#execute
/usr/sbin/logwatch
3. The logwatch is command, you can run it.
logwatch --print
单独查看某个服务，比如 SSH 登录信息
logwatch --service sshd --print

Webmin 起始页 nmon

nmon
nmon
nmon
http://nmon.sourceforge.net/
例 41.1. nmon

logwatch 起始页 nulog
nulog
nulog
nulog
例 41.2. config.php

nmon 起始页第 42 章 Network
第 42 章 Network
第 42 章 Network
第 42 章 Network
目录
Cacti
Nagios
BIG BROTHER
Bandwidth
OpenNMS
Cacti
Cacti is a complete network graphing solution designed to harness the power of RRDTool's
data storage and graphing functionality. Cacti provides a fast poller, advanced graph
templating, multiple data acquisition methods, and user management features out of the box.
All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized
installations up to complex networks with hundreds of devices.
homepage: http://www.cacti.net/
Cacti requires MySQL, PHP, RRDTool, net-snmp, and a webserver that supports PHP such as
Apache.
sudo apt-get install rrdtool

sudo apt-get install snmp snmpd
sudo apt-get install php5-snmp
At first, install snmp for linux
1. wget http://www.cacti.net/downloads/cacti-0.8.7b.tar.gz
2. tar zxvf cacti-0.8.7b.tar.gz
3. mv cacti-0.8.7b /home/netkiller/public_html/cacti

第 42 章 Network
4. mysqladmin --user=root create cacti

5. mysql -uroot -p cacti < cacti.sql
6. echo "GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'somepassword';"
| mysql -uroot -p
7. echo "flush privileges;" | mysql -uroot -p
8. vi include/config.php
例 42.1. cacti config.php
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cactiuser";
$database_password = "somepassword";
$database_port = "3306";
9. crontab -e
*/5 * * * * php /var/www/neo.6600.org/html/cacti/poller.php > /dev/null 2>&1
or
/etc/crontab
*/5 * * * * nobody php /home/netkiller/public_html/cacti/poller.php > /dev/null 2>&1

10. mkdir -p /var/log/cacti/
configure cacti
http://your-server/cacti/

nulog 起始页 Nagios

Nagios
Nagios
上一页第 42 章 Network 下一页
Nagios
homepage: http://www.nagios.org/
Nagios 是一种开放源代码监视软件，它可以扫描主机、服务、网络方面存在的问题。Nagios 与
其他类似的包之间的主要区别在于，Nagios 将所有的信息简化为“工作（working）”、“可疑的
（questionable）”和“故障（failure）”状态，并且 Nagios 支持由插件组成的非常丰富的“生态系
统”。这些特性使得用户能够进行有效安装，在此过程中无需过多地关心细节内容，只提供他们
所需的信息即可。
install
$ sudo apt-get install nagios2
add user nagiosadmin for nagios
$ sudo htpasswd -c /etc/nagios2/htpasswd.users nagiosadmin

New password:
Re-type new password:
Adding password for user nagiosadmin
Create a new nagcmd group for allowing external commands to be submitted through the web
interface. Add both the nagios user and the apache user to the group.
$ groupadd nagcmd
$ sudo usermod -a -G nagcmd nagios
$ sudo usermod -a -G nagcmd www-data
$ cat /etc/group
nagcmd:x:1003:nagios,www-data
reload apache

Nagios
$ sudo /etc/init.d/apache2 reload

* Reloading web server config apache2
[ OK ]
NagiosChecker

第 42 章 Network 起始页 BIG BROTHER

BIG BROTHER
BIG BROTHER
BIG BROTHER
waiting ...

Nagios 起始页 Bandwidth
Bandwidth
Bandwidth
Bandwidth
http://bandwidthd.sourceforge.net/

BIG BROTHER 起始页 OpenNMS
OpenNMS
OpenNMS
OpenNMS
http://www.opennms.org/

Bandwidth 起始页第 43 章 Web
第 43 章 Web
第 43 章 Web
第 43 章 Web
目录
awstats
webalizer
awstats
http://sourceforge.net/projects/awstats/
1. install
sudo apt-get install awstats
2. configure
sudo vim /etc/awstats/awstats.conf or awstats.conf.local
LogFile="/home/netkiller/logs/access_log"
SiteDomain="netkiller.8800.org"
or
# cd /usr/share/doc/awstats/examples/
#/usr/share/doc/awstats/examples$ perl awstats_configure.pl
3. apache
Alias /awstatsclasses "/usr/share/awstats/lib/"

Alias /awstats-icon/ "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
ScriptAlias /awstats/ /usr/lib/cgi-bin/
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
4. how do I test awstats.

第 43 章 Web
http://netkiller.8800.org/awstats/awstats.pl
5. Generating the First Stats
sudo -u www-data /usr/bin/perl /usr/lib/cgi-bin/awstats.pl -update -

config=netkiller.8800.org
6. Automatising the stats generation using Cron
If we check the file installed by awstats and search for the word cron using the following command line:
$ dpkg -L awstats | grep cron

/etc/cron.d
/etc/cron.d/awstats
sudo vim /etc/cron.d/awstats
0,10,20,30,40,50 * * * * www-data [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/

awstats/awstats.conf -a -r /home/netkiller/logs/access.log ] && /usr/lib/cgi-bin/
awstats.pl -config=netkiller.8800.org -update >/dev/null
7. web 测试
http://netkiller.8800.org/awstats/awstats.pl
http://netkiller.8800.org/awstats/awstats.pl?config=other.8800.org

OpenNMS 起始页 webalizer

webalizer
webalizer
上一页第 43 章 Web 下一页
webalizer
What is Webalizer?
The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily
configurable usage reports in HTML format, for viewing with a standard web browser
1. install webalizer
sudo apt-get install webalizer
2. config
LogFile /home/netkiller/logs/access.log
OutputDir /home/netkiller/public_html/webalizer
3. crontab
/etc/cron.daily/webalizer
netkiller@shenzhen:~$ cat /etc/cron.daily/webalizer

#!/bin/sh
# /etc/cron.daily/webalizer: Webalizer daily maintenance script
# This script was originally written by
# Remco van de Meent <remco@debian.org>
# and now, all rewrited by Jose Carlos Medeiros <jose@psabs.com.br>
# This script just run webalizer agains all .conf files in /etc/webalizer directory
WEBALIZER=/usr/bin/webalizer
WEBALIZER_CONFDIR=/etc/webalizer
[ -x ${WEBALIZER} ] || exit 0;
[ -d ${WEBALIZER_CONFDIR} ] || exit 0;
for i in ${WEBALIZER_CONFDIR}/*.conf; do
# run agains a rotated or normal logfile
LOGFILE=àwk '$1 ~ /^LogFile$/ {print $2}' $i`;
# empty ?
[ -s "${LOGFILE}" ] || continue;
# readable ?
[ -r "${LOGFILE}" ] || continue;
# there was a output ?

webalizer
OUTDIR=àwk '$1 ~ /ÔutputDir$/ {print $2}' $i`;

# exists something ?
[ "${OUTDIR}" != "" ] || continue;
# its a directory ?
[ -d ${OUTDIR} ] || continue;
# its writable ?
[ -w ${OUTDIR} ] || continue;
# Run Really quietly, exit with status code if !0

${WEBALIZER} -c ${i} -Q || continue;
RET=$?;
# Non rotated log file

NLOGFILE=àwk '$1 ~ /^LogFile$/ {gsub(/\.[0-9]+(\.gz)?/,""); print $2}' $i`;
# check current log, if last log is a rotated logfile

if [ "${LOGFILE}" != "${NLOGFILE}" ]; then
# empty ?
[ -s "${NLOGFILE}" ] || continue;
# readable ?
[ -r "${NLOGFILE}" ] || continue;
${WEBALIZER} -c ${i} -Q ${NLOGFILE};

RET=$?;
fi;
done;
# exit with webalizer's exit code

exit $RET;
4. initialization
sudo /usr/bin/webalizer
5. http://netkiller.8800.org/webalizer/

第 43 章 Web 起始页第 44 章 Zenoss

第 44 章 Zenoss
第 44 章 Zenoss
第 44 章 Zenoss
http://www.linuxjournal.com/article/10070

webalizer 起始页第 45 章 Ganglia
第 45 章 Ganglia
第 45 章 Ganglia
第 45 章 Ganglia
Ganglia 是一个开源项目，它为高性能计算系统（例如集群和网格）提供了一个免费的可扩展分
布式监视系统。
waiting ...

第 44 章 Zenoss 起始页部分 VI. Cluster / Load Balancing
部分 VI. Cluster / Load Balancing

上一页下一页

目录
46. Linux Virtual Server

环境配置
VS/NAT
VS/TUN
VS/DR
配置文件
ipvsadm script
debug
ipvsadm monitor
47. keepalived
安装
test
48. heartbeat+ldirectord
49. HAProxy - fast and reliable load balancing reverse proxy
上一页下一页
第 45 章 Ganglia 起始页第 46 章 Linux Virtual Server
第 46 章 Linux Virtual Server

上一页部分 VI. Cluster / Load Balancing 下一页

目录
环境配置
VS/NAT
VS/TUN
VS/DR
配置文件
ipvsadm script
debug
ipvsadm monitor
Session
当选用持久服务（-p选项）支持HTTP session时，来自同一IP地址的请求将被送到同一台服务器。所
以在这种状况下，一个ab生成的请求都会被调度到一台服务器，达不到性能测试的目的。在真实系
统使用中，持久服务时间一般设置好几个小时。当ldirectord监测到并且在列表中删除一台应用服务
器时，之前有建立连接的,继续转发到这台机上，确实是这样。因为IPVS并不立即淘汰刚删除的服务
器，考虑到服务器太忙被删除，可能很快会被加回来。如果你需要马上淘汰已删除服务器的连接，
可以用 echo 1 > /proc/sys/net/ipv4/vs/expire_nodest_conn 不用担心记录连接所消耗的内存，因为
一个连接只占用128个字节，所以512M可用内存可以支持四百万条连接数。可以考虑用分布式的测
试工具，或者多台机器一起跑ab。
环境配置
ssh
neo@ubuntu:~$ sudo apt-get install ssh
network
neo@ubuntu:~$ sudo ifconfig eth0 172.16.0.250

neo@ubuntu:~$ sudo route add default gw 172.16.0.254
install ipvsadm
neo@ubuntu:~$ apt-cache search ipvsadm

ipvsadm - Linux Virtual Server support programs
neo@ubuntu:~$ sudo apt-get install ipvsadm
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
heartbeat keepalived ldirectord
The following NEW packages will be installed:
ipvsadm
0 upgraded, 1 newly installed, 0 to remove and 30 not upgraded.
Need to get 0B/43.9kB of archives.
After unpacking 238kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package ipvsadm.
(Reading database ... 16572 files and directories currently installed.)
Unpacking ipvsadm (from .../ipvsadm_1.24+1.21-1.1ubuntu3_i386.deb) ...
Setting up ipvsadm (1.24+1.21-1.1ubuntu3) ...
neo@ubuntu:~$
test
neo@ubuntu:~$ sudo ipvsadm

IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
neo@ubuntu:~$

部分 VI. Cluster / Load Balancing 起始页 VS/NAT

VS/NAT
VS/NAT
上一页第 46 章 Linux Virtual Server 下一页
VS/NAT

VS/NAT
ip_forward
or
or
/etc/sysctl.conf 文件，保证其中有如下一行:
执行:
sysctl -p
iptables
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -o eth0 -s 172.16.0.0/16 -d

0.0.0.0/0
sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -o eth1 -s 192.168.1.0/24 -
d 0.0.0.0/0
ipvsadm
sudo ipvsadm -A -t 172.16.0.1:80 -s wlc

sudo ipvsadm -a -t 172.16.0.1:80 -r 192.168.0.4:80 -m
sudo ipvsadm -a -t 172.16.0.1:80 -r 192.168.0.5:80 -m -w 2

VS/NAT

第 46 章 Linux Virtual Server 起始页 VS/TUN

VS/TUN
VS/TUN
VS/TUN

VS/TUN
Director
ifconfig eth0:0 172.16.0.1 netmask 255.255.255.255 broadcast 172.16.0.1 up
ifconfig eth0:0 <VIP> netmask 255.255.255.255 broadcast <VIP> up
ipvsadm -A -t 172.16.0.1:80 -s wlc

ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.10 -i
ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.20 -i
ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.30 -i
ifconfig
[root@centos etc]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:15:2B:CF
inet addr:172.16.0.40 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fe15:2bcf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2340 errors:0 dropped:0 overruns:0 frame:0
TX packets:2524 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:995068 (971.7 KiB) TX bytes:327201 (319.5 KiB)
Interrupt:177 Base address:0x1400

VS/TUN
eth0:0 Link encap:Ethernet HWaddr 00:0C:29:15:2B:CF

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
[root@centos etc]#
route
[root@centos etc]# route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
172.16.0.0 * 255.255.0.0 U 0 0 0 eth0
default 172.16.0.254 0.0.0.0 UG 0 0 0 eth0
[root@centos etc]#
ipvsadm
[root@centos etc]# ipvsadm

TCP 172.16.0.1:http wlc
-> 172.16.0.30:http Tunnel 1 0 0
-> 172.16.0.20:http Tunnel 1 0 0
-> 172.16.0.10:http Tunnel 1 0 0
[root@centos etc]#
realserver

VS/TUN

modprobe ipip
ifconfig tunl0 0.0.0.0 up
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden
ifconfig tunl0 172.16.0.1 netmask 255.255.255.255 broadcast 172.16.0.1 up
route add -host 172.16.0.1 dev tunl0
ubuntu real server
neo@backup:~$ sudo sysctl -w net.ipv4.ip_forward=1

neo@backup:~$ sudo modprobe ipip
neo@backup:~$ sudo ifconfig tunl0 0.0.0.0 up
neo@backup:~$ sudo ifconfig tunl0 172.16.0.1 netmask 255.255.255.255 broadcast

172.16.0.1 up
neo@backup:~$ sudo route add -host 172.16.0.1 dev tunl0
neo@backup:~$ route
172.16.0.1 * 255.255.255.255 UH 0 0 0 tunl0
localnet * 255.255.0.0 U 0 0 0 eth0
default 172.16.0.254 0.0.0.0 UG 0 0 0 eth0
neo@backup:~$
script
sudo sysctl -w net.ipv4.ip_forward=1

sudo modprobe ipip
sudo ifconfig tunl0 0.0.0.0 up
sudo ifconfig tunl0 172.16.0.1 netmask 255.255.255.255 broadcast 172.16.0.1 up
ifconfig
neo@master:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:CF:A2
inet6 addr: fe80::20c:29ff:fecc:cfa2/64 Scope:Link

VS/TUN
RX bytes:2866792 (2.7 MiB) TX bytes:639042 (624.0 KiB)


inet addr:127.0.0.1 Mask:255.0.0.0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr

inet addr:172.16.0.1 Mask:255.255.255.255
UP RUNNING NOARP MTU:1480 Metric:1
RX bytes:19511 (19.0 KiB) TX bytes:0 (0.0 b)
neo@master:~$ route
172.16.0.0 * 255.255.0.0 U 0 0 0 eth0
default 172.16.0.254 0.0.0.0 UG 0 0 0 eth0
neo@master:~$

VS/NAT 起始页 VS/DR

VS/DR
VS/DR
VS/DR

VS/DR
VS/DR方式是通过改写请求报文中的MAC地址部分来实现的。
Director和RealServer必需在物理上有一个网卡通过不间断的局域网相连。
Director
VIP:172.16.0.1
neo@ubuntu:~$ sudo ifconfig eth0 172.16.0.1/16

or
ifconfig eth0 172.16.0.x netmask 255.255.0.0 broadcast 172.16.0.255 up
ipvsadm
#!/bin/bash
ipvsadm -C
ipvsadm -A -t 172.16.0.1:80 -s wlc
ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.10 -g
ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.20 -g
ipvsadm -a -t 172.16.0.1:80 -r 172.16.0.30 -g

VS/DR
script
ifconfig eth0 172.16.0.x netmask 255.255.0.0 broadcast 172.16.0.255 up

RealServer
Ubuntn
neo@master:~$ sudo sysctl -w net.ipv4.ip_forward=1

neo@master:~$ sudo sysctl -w net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_ignore = 1
neo@master:~$ sudo sysctl -w net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.lo.arp_announce = 2
neo@master:~$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_ignore = 1
neo@master:~$ sudo sysctl -w net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.all.arp_announce = 2
neo@master:~$
neo@master:~$ sudo ifconfig lo:0 172.16.0.1 netmask 255.255.255.255 broadcast
172.16.0.1 up
neo@master:~$ sudo route add -host 172.16.0.1 dev lo:0
script

sudo sysctl -w net.ipv4.conf.lo.arp_ignore=1
sudo sysctl -w net.ipv4.conf.lo.arp_announce=2
sudo sysctl -w net.ipv4.conf.all.arp_ignore=1
sudo sysctl -w net.ipv4.conf.all.arp_announce=2
sudo ifconfig lo:0 172.16.0.1 netmask 255.255.255.255 broadcast 172.16.0.1 up
sudo route add -host 172.16.0.1 dev lo:0
redhat

echo 1 > /proc/sys/net/ipv4/conf/all/hidden
echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
ifconfig lo:0 172.16.0.1 netmask 255.255.255.255 broadcast 172.16.0.1 up

VS/DR
test
neo@ubuntu:~$ sudo tcpdump -i eth0|grep "172.16.0.1"
配置文件
Director
ifconfig
neo@ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:C2:FC:D7
inet6 addr: fe80::20c:29ff:fec2:fcd7/64 Scope:Link
RX bytes:726365 (709.3 KiB) TX bytes:2638735 (2.5 MiB)
eth0:0 Link encap:Ethernet HWaddr 00:0C:29:C2:FC:D7


inet addr:127.0.0.1 Mask:255.0.0.0
neo@ubuntu:~$
ipvsadm
neo@ubuntu:~$ sudo ipvsadm


VS/DR
TCP 172.16.0.1:www wlc

-> 172.16.0.20:www Route 1 0 0
-> 172.16.0.10:www Route 1 0 0
neo@ubuntu:~$
RealServer
ifconfig
neo@ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:CF:A2
inet6 addr: fe80::20c:29ff:fecc:cfa2/64 Scope:Link

inet addr:127.0.0.1 Mask:255.0.0.0
lo:0 Link encap:Local Loopback

inet addr:172.16.0.1 Mask:255.255.255.255
neo@ubuntu:~$

VS/TUN 起始页 ipvsadm script

ipvsadm script
ipvsadm script
ipvsadm script
save/restore
$ ipvsadm-sav > ipvsadm.sav

$ ipvsadm-restore < ipvsadm.sav
同步
#sync daemon.
ipvsadm --start-daemon=master --mcast-interface=eth1
ipvsadm --start-daemon=backup --mcast-interface=eth1
cancel
[root@centos etc]# ipvsadm -C

[root@centos etc]# ifconfig eth0:0 down
and
[root@centos etc]# ifconfig lo:0 down

VS/DR 起始页 debug
debug
debug
debug
tcpdump -n -i eth0 port 80 or icmp or arp
正确的IP包
20:39:01.222810 IP 172.16.0.253.4086 > 172.16.0.1.www: S 4092656017:4092656017(0)

win 65535 <mss 1460,nop,wscale 2,nop,nop,sackOK>
20:39:01.225684 IP 172.16.0.253.4086 > 172.16.0.1.www: . ack 3272377939 win 64240
20:39:01.225697 IP 172.16.0.1.www > 172.16.0.253.4086: S 3272377938:3272377938(0)
ack 4092656018 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 1>
20:39:01.225726 IP 172.16.0.253.4086 > 172.16.0.1.www: P 1:186(185) ack 1 win 64240
20:39:01.246167 IP 172.16.0.1.www > 172.16.0.253.4086: . ack 186 win 3456
20:39:01.284672 IP 172.16.0.1.www > 172.16.0.253.4086: P 1:524(523) ack 186 win 3456
20:39:01.386049 IP 172.16.0.253.4086 > 172.16.0.1.www: . ack 524 win 64109

ipvsadm script 起始页 ipvsadm monitor
ipvsadm monitor
ipvsadm monitor
ipvsadm monitor
monitor.py
#!/usr/bin/env python
class Ipvs:
types = ''
vip = '0.0.0.0'
vport = '0'
scheduler = ''
nodes = []
"""
def __init__(self, vs):
self.types = vs[0]
self.vip = vs[1]
self.vport = vs[2]
self.scheduler = vs[3]
self.nodes = vs[4]
"""
class Node:
nip = '0.0.0.0'
nport = ''
forward = ''
weight = 0
active = 0
inact = 0
def __init__(self, node):
nip = node[0]
nport = node[1]
forward = node[2]
weight = node[3]
active = node[4]
incat = node[5]
self.nip = nip
self.nport = nport
self.forward = forward
self.weight = weight
self.active = active
self.inact = incat
class Monitor:
buffer = []

ipvsadm monitor
ipvsdict = {}
def __init__(self):
self.buffer.append('<?xml version="1.0"?>')
self.buffer.append('<?xml-stylesheet type="text/xsl" href="vs.xsl"?>')
#self.make()
pass
def clear(self):
self.buffer = []
self.ipvss = []
def make(self):
self.buffer.append('<ipvs>')
for key in self.ipvsdict:
ipvs = self.ipvsdict[key]
self.node(ipvs.nodes,ipvs.vip+':'+ipvs.vport+' '+ipvs.scheduler)
self.buffer.append('</ipvs>')
def header(self,vs):
self.buffer.append('')
def node(self, nodes, caption):
self.buffer.append('<table>')
self.buffer.append('<caption>'+caption+'</caption>')
for node in nodes:
self.buffer.append('<node>')
self.buffer.append('<nip>'+node.nip+'</nip>')
self.buffer.append('<nport>'+node.nport+'</nport>')
self.buffer.append('<forward>'+node.forward+'</forward>')
self.buffer.append('<weight>'+node.weight+'</weight>')
self.buffer.append('<active>'+node.active+'</active>')
self.buffer.append('<inact>'+node.inact+'</inact>')
self.buffer.append('</node>')
self.buffer.append('</table>')
def display(self):
for buf in self.buffer:
print buf
def saveAs(self,filename):
# if filename:
f = open(filename,'w')
for buf in self.buffer:
f.write(buf)
f.close()
def save(self):
self.saveAs('vs.xml')
def ipvslist(self):
w,r = os.popen2(IPVSADM)
w.close()
version = r.readline()
vsfield = r.readline()
nodefield = r.readline()
pattern_vs = r'(\w+)\s+([0-9.]+):(\w+)\s+(\w+)'

ipvsadm monitor
pattern_node = r'\s->\s([0-9.]+):(\w+)\s+(\w+)\s+(\d+)\s+(\d+)\s+(\d+)'
cp_vs = re.compile(pattern_vs)
cp_node = re.compile(pattern_node)
current_vs = ''
for line in r.readlines():
if line[:3] == 'TCP' or line[:3] == 'UDP':
current_vs = line
result = cp_vs.search(line).groups()
ipvs = Ipvs()
ipvs.types = result[0]
ipvs.vip = result[1]
ipvs.vport = result[2]
ipvs.scheduler = result[3]
ipvs.nodes = []
self.ipvsdict[current_vs] = ipvs
elif line[2:4]== '->':
result = cp_node.search(line).groups()
oneNode = Node(result)
#nodes.append(oneNode)
self.ipvsdict[current_vs].nodes.append(oneNode)
class Network:
interface = []
def __init__(self):
pass
def hostname:
pass
class Ipvsadmin:
cmdline = ''
vscache = []
forward = {'nat':'','route':'','tunel':''}
def load(self, config):

pass
def vip(self, vip, vport, scheduler):
pass
def rip(self, vip,rip,rport,forward,weight):
pass
def list(self):
pass
def saveAs(self):
pass
def restore(self):
pass
class Deploy:
src = ['vs.xml','vs.xsl']

ipvsadm monitor
dst = ''
def __init__(self):
pass
def target(self, dst):
self.dst = dst
def start(self):
try:
for srcfile in self.src:
shutil.copy(srcfile,self.dst)
except (IOError, os.error), why:
print "Can't copy %s to %s: %s" % (`self.src`, `self.dst`, str(why))
import os,re
import shutil
IPVSADM='/sbin/ipvsadm'
def main():
xml = Monitor()
xml.ipvslist()
xml.make()
#xml.display()
xml.save()
#xml.saveAs('/var/www/vs.xml')
deploy = Deploy()
deploy.target('/var/www')
deploy.start()
if __name__ == "__main__":
main()
ipvs.xsl
<?xml version="1.0" encoding="utf-8"?>


<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="html"/>
<xsl:template match="/">
<html>
<head>
<title><xsl:value-of select="table/caption"/></title>

ipvsadm monitor
<meta http-equiv="content-type" content="text/html; charset=utf-8" />

<meta content="陈景峰,网路杀手,网络杀手,bg7nyt,ham,火腿" name="keywords" />
<meta content="陈景峰" name="description" />

<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body bgcolor="DFEFFF" text="#000000">

<a name="top" />
<xsl:apply-templates/>
</body>
</html>
</xsl:template>
<xsl:template match="/ipvs">
<xsl:for-each select="table">
<table width="90%" border="1" cellspacing="0" cellpadding="5" bgcolor="E0F0FF"
align="center" bordercolor="4FA7FF">
<caption><xsl:value-of select="caption"/></caption>
<xsl:for-each select="node">
<tr>
<td><xsl:value-of select="nip"/></td>
<td><xsl:value-of select="nport"/></td>
<td><xsl:value-of select="forward"/></td>
<td><xsl:value-of select="weight"/></td>
<td><xsl:value-of select="active"/></td>
<td><xsl:value-of select="inact"/></td>
</tr>
</xsl:for-each>
</table>
<br />
</xsl:for-each>
</xsl:template>
<xsl:template match="chapter/title">
<center><h1>
<xsl:apply-templates/>
</h1>
</center>
<hr />
</xsl:template>

ipvsadm monitor
<xsl:template match="ulink">
<a href="{@url}" border="0" >
<xsl:apply-templates/> </a> <br />
</xsl:template>

</xsl:stylesheet>

debug 起始页第 47 章 keepalived

第 47 章 keepalived
目录
安装
test
VRRP（Virtual Router Redundancy Protocol）协议
网站: http://www.keepalived.org/
http://www.lvwnet.com/vince/linux/Keepalived-LVS-NAT-Director-ProxyArp-
Firewall-HOWTO.html
http://www.keepalived.org/LVS-NAT-Keepalived-HOWTO.html
http://archive.linuxvirtualserver.org/html/lvs-users/2002-12/msg00189.html
http://www.linuxvirtualserver.org/docs/ha/keepalived.html
安装
两台已经安装好Ubuntu的服务器
分别安装ssh以方便putty登录
neo@master:~$ sudo apt-get install ssh

neo@slave:~$ sudo apt-get install ssh
install keepalived

neo@master:~$ apt-cache search lvs

keepalived - Failover and monitoring daemon for LVS clusters
neo@master:~$ sudo apt-get install keepalived
配置 keepalived.conf
neo@master:/etc/keepalived$ sudo touch keepalived.conf

neo@master:/etc/keepalived$ sudo vi keepalived.conf
例 47.1. keepalived.conf
vrrp_sync_group VG1 {
group {
VI_1
VI_2
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.0.1
}
}
vrrp_instance VI_2 {
state MASTER
interface eth1
virtual_router_id 51

priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.18.1.254
}
}
virtual_server 172.16.0.1 80 {
delay_loop 6
lb_algo wlc
lb_kind NAT
persistence_timeout 600
protocol TCP
real_server 172.16.0.2 80 {
weight 100
TCP_CHECK {
connect_timeout 3
}
}
real_server 172.16.0.3 80 {
weight 100
TCP_CHECK {
connect_timeout 3
}
}
real_server 172.16.0.4 80 {
weight 100
TCP_CHECK {
connect_timeout 3
}
}
}
enable ip_forward

$ sudo sysctl -w net.ipv4.ip_forward=1
neo@master:~$ sysctl net.ipv4.ip_forward

Starting keepalived
neo@master:/etc/keepalived$ sudo /etc/init.d/keepalived start

Starting keepalived: keepalived.
virtual_ipaddress
virtual_ipaddress { 172.16.0.1/16 } 正常直接写IP即可.但在ubuntu中如果不写子网

掩码,它会默认为172.16.0.1/32.

ipvsadm monitor 起始页 test

test
test
上一页第 47 章 keepalived 下一页
test
Log
Keepalived 日志输出位置
Debian/Ubutun: /var/log/daemon.log
Other: /var/log/messages
tail -f /var/log/daemon.log |grep Keepalived
$ sudo ipvsadm
链接测试
$ w3m -no-cookie -dump 'http://172.16.0.1'
查看vip
neo@master:/etc/keepalived$ ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:07:40:14 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.2/16 brd 172.16.255.255 scope global eth0
inet6 fe80::20c:29ff:fe07:4014/64 scope link
valid_lft forever preferred_lft forever
neo@master:/etc/keepalived$
neo@master:/etc/keepalived$ sudo /etc/init.d/keepalived start

Starting keepalived: keepalived.
neo@master:/etc/keepalived$ ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:07:40:14 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.2/16 brd 172.16.255.255 scope global eth0

test
inet 172.16.0.1/16 scope global secondary eth0

inet6 fe80::20c:29ff:fe07:4014/64 scope link
valid_lft forever preferred_lft forever
neo@master:/etc/keepalived$
正确应该显示： inet 172.16.0.1/16 scope global secondary eth0
genhash 生成web hash类似md5sum，对比每次输出是否一样
genhash -s 172.16.0.1 -p 80 -u /
genhash -s 172.16.0.1 -p 80 -u /
genhash -s 172.16.0.1 -p 80 -u /
...
genhash -s 172.16.0.1 -p 80 -u /

第 47 章 keepalived 起始页第 48 章 heartbeat+ldirectord

第 48 章 heartbeat+ldirectord
当前环境
[root@backup ~]# cd /etc/ha.d/

[root@backup ha.d]# ls
authkeys harc ldirectord.cf README.config shellfuncs
ha.cf haresources rc.d/ resource.d/
heartbeat主要有三个配置文件:
1. /etc/ha.d/authkeys
2. /etc/ha.d/ha.cf
3. /etc/ha.d/haresources
过程 48.1. 配置步骤:
1. /etc/ha.d/authkeys
auth 3
3 md5 hello
[root@backup ha.d]# vi authkeys

auth 3
#1 crc
#2 sha1 HI!
3 md5 hello
2. /etc/ha.d/ha.cf
master
logfile /var/log/ha-log

logfacility local0
keepalive 2
deadtime 30
warntime 10
initdead 120
udpport 694
ucast eth1 10.10.10.161
ucast eth1 <backup node ip>
auto_failback on
node master.example.org
node backup.example.org
ping_group group1 10.10.10.160 10.10.10.161
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster
[root@backup ha.d]# vi ha.cf

logfile /var/log/ha-log
backup
ucast eth1 master node ip
3. /etc/ha.d/haresources
<node> <vip>/<netmask>/<interface>/<vip> ldirectord
master.example.org 211.100.37.164/32/eth0:0/211.100.37.164 ldirectord
[root@master ha.d]# cat haresources

master.example.org 211.100.37.164/32/eth0:0/211.100.37.164 ldirectord
backup.example.org 211.100.37.164/32/eth0:0/211.100.37.164 ldirectord
[root@backup ha.d]# cat haresources

backup.example.org 211.100.37.164/32/eth0:0/211.100.37.164 ldirectord
4. /etc/ha.d/ldirectord.cf
checktimeout=3
checkinterval=1
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=yes
virtual=211.100.37.164:80
real=10.10.0.7:80 gate
real=10.10.0.8:80 gate
real=10.10.0.9:80 gate
service=http
virtualhost=netkiller.8800.org
scheduler=wrr
protocol=tcp
checkport=80
...
debug
tail -f /var/log/ha-log
察看心跳监听是否工作：
[root@master ha.d]# tcpdump -i eth1 icmp

[root@backup ha.d]# tcpdump -i eth1 icmp
IPaddr2 Script
IPAddr2::10.10.0.1/32/0:0/10.10.0.1

resource.d/IPaddr2 10.10.0.1/32/0:0/10.10.0.1 start

test 第 49 章 HAProxy - fast and reliable
起始页
load balancing reverse proxy

第 49 章 HAProxy - fast and reliable load balancing reverse proxy
第 49 章 HAProxy - fast and reliable load balancing reverse proxy

第 49 章 HAProxy - fast and reliable load balancing reverse

proxy
$ apt-cache search haproxy

haproxy - fast and reliable load balancing reverse proxy

第 48 章 heartbeat+ldirectord 起始页部分 VII. Multimedia
部分 VII. Multimedia
上一页下一页
目录
50. ImageMagick
install
convert
批量转换
resize
51. GraphicsMagick
52. How to add metadata to digital pictures from the command line
53. broadcast streaming
shoutcast
PeerCast
54. To convert multimedia format
上一页下一页
第 49 章 HAProxy - fast and reliable 第 50 章 ImageMagick
起始页
load balancing reverse proxy
第 50 章 ImageMagick
上一页部分 VII. Multimedia 下一页
目录
install
convert
批量转换
resize
homepage: http://www.imagemagick.org/
install
$ sudo apt-get install imagemagick

部分 VII. Multimedia 起始页 convert
convert
convert
上一页第 50 章 ImageMagick 下一页
convert
批量转换
convert *.jpg gkp-*.png
resize
批量修改图片尺寸
find ./ -name '*.jpg' -exec convert -resize 600x480 {} {}

\;
以长边为准
for img in $(find ./album/ -type f -name *.jpg)

do
width=$(identify -format "%w" $img)
height=$(identify -format "%h" $img)
if [ $width -gt $height ]; then
convert -resize 900x600 $img $img
else
convert -resize 600x900 $img $img
fi
done

convert
第 50 章 ImageMagick 起始页第 51 章 GraphicsMagick

第 51 章 GraphicsMagick
http://www.graphicsmagick.org/

convert 第 52 章 How to add metadata to
起始页 digital pictures from the command
line
第 52 章 How to add metadata to digital pictures from the command line
第 52 章 How to add metadata to digital pictures from the command line

第 52 章 How to add metadata to digital pictures from the

command line
exiftool

第 51 章 GraphicsMagick 起始页第 53 章 broadcast streaming
第 53 章 broadcast streaming
目录

shoutcast
PeerCast

过程 53.1.
1. installation
$ sudo apt-get install gnump3d
2. configure
$ sudo vim /etc/gnump3d/gnump3d.conf
root = /var/music
3. copy some mp3 file to directory /var/music

4. testing
http://127.0.0.1:8888/


第 52 章 How to add metadata to icecast2 - Ogg Vorbis and MP3
digital pictures from the command 起始页 streaming media server
line


上一页第 53 章 broadcast streaming 下一页

http://www.icecast.org/
过程 53.2.
1. installation
$ sudo apt-get install icecast2
2. configure
/etc/default/icecast2
$ sudo vim /etc/default/icecast2

#ENABLE=false
ENABLE=true
/etc/icecast2/icecast.xml
<authentication>

<source-password>your-password</source-password>

<relay-password>your-password</relay-password>


<admin-user>admin</admin-user>
<admin-password>your-password</admin-password>
</authentication>
3. starting
$ sudo /etc/init.d/icecast2 start
4. testing
http://localhost:8000/

过程 53.3. 配置步骤
1. 安装lib库
netkiller@Linux-server:~/icecast-2.3.1$ sudo apt-get install libxslt1.1

netkiller@Linux-server:~/icecast-2.3.1$ sudo apt-get install libxslt1-dev
netkiller@Linux-server:~/icecast-2.3.1$ sudo apt-get install libshout3
netkiller@Linux-server:~/icecast-2.3.1$ sudo apt-get install libshout3-dev
2. $ sudo ./configure --prefix=/usr/local/icecast
make;make install
netkiller@Linux-server:~/icecast-2.3.1$ ./configure --prefix=/usr/local/icecast

netkiller@Linux-server:~/icecast-2.3.1$ make
netkiller@Linux-server:~/icecast-2.3.1$ sudo make install
netkiller@Linux-server:~/icecast-2.3.1$ cd /usr/local/icecast/
netkiller@Linux-server:/usr/local/icecast$ ls
bin etc share
创建icecast2用户
修改所有者
netkiller@Linux-server:/usr/local/icecast$ cd ..
netkiller@Linux-server:/usr/local$ adduser icecast2
netkiller@Linux-server:/usr/local$ sudo chown icecast2.icecast2 -R icecast/
3. 运行icecast
netkiller@Linux-server:/usr/local$ su icecast2
netkiller@Linux-server:/usr/local$ /usr/local/icecast/bin/icecast -b -c /usr/local/
icecast/etc/icecast.xml
4. 配置icecast
管理员/密码
admin-user: 管理员用户名
admin-password: 管理员密码
icecast2@Linux-server:/usr/local/icecast$ vi etc/icecast.xml

<authentication>

<source-password>hackme</source-password>

<relay-password>hackme</relay-password>


<admin-user>admin</admin-user>
<admin-password>chen</admin-password>
</authentication>
5. 测试 http://netkiller.8800.org:8000/

第 53 章 broadcast streaming 起始页 shoutcast

shoutcast
shoutcast
shoutcast
shoutcast...

icecast2 - Ogg Vorbis and MP3 起始页 PeerCast
streaming media server
PeerCast
PeerCast
PeerCast
homepage: http://www.peercast.org/

shoutcast 第 54 章 To convert multimedia
起始页
format
第 54 章 To convert multimedia format


目录


Command line utility mencoder can convert .rm files to .mp3
mencoder input_file.rm -ovc frameno -oac mp3lame -of rawaudio -lameopts cbr:br=128 -
o output_file.mp3
lame -h -b 128 audiodump.wav myconvertedfile.mp3

PeerCast 起始页 encode to Macromedia Flash format

上一页第 54 章 To convert multimedia format 下一页
mencoder input.avi -o output.flv -of lavf \

-oac mp3lame -lameopts abr:br=56 -srate 22050 -ovc lavc \
-lavcopts vcodec=flv:vbitrate=500:mbd=2:mv0:trell:v4mv:cbp:
last_pred=3

第 54 章 To convert multimedia 第 55 章 Voice over IP
起始页
format
第 55 章 Voice over IP
上一页下一页
目录
Gnu Gatekeeper
Gnu Gatekeeper Test
OpenSER SIP Server
安装环境 ubuntu 7.10
Gnu Gatekeeper
http://www.gnugk.org/
sudo apt-get install gnugk

sudo apt-get install ohphone
start|stop|restart|force-reload
netkiller@shenzhen:~$ sudo /etc/init.d/gnugk

Usage: /etc/init.d/gnugk {start|stop|restart|force-reload}
Start
netkiller@shenzhen:~$ sudo /etc/init.d/gnugk start

Starting H.323 gatekeeper: gnugk.
netkiller@shenzhen:~$ sudo /etc/init.d/gnugk stop

Stopping H.323 gatekeeper: gnugk.

gatekeeper.ini
[Gatekeeper::Main]
Fourtytwo=42
[GkStatus::Auth]
rule=allow
Gnu Gatekeeper Test
How do I test Gatekeeper
first, telnet tools
netkiller@shenzhen:~$ telnet 127.0.0.1 7000

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Version:
Gatekeeper(GNU) Version(2.2.5) Ext(pthreads=1,radius=1,mysql=1,pgsql=1,firebird=1,
large_fdset=0,crypto/ssl=1) Build(Feb 2 2007, 21:39:07) Sys(Linux i686 2.6.20-15-
server)
GkStatus: Version(2.0) Ext()
Toolkit: Version(1.0) Ext(basic)
Startup: Fri, 09 Nov 2007 17:26:23 -0500 Running: 0 days 00:08:34
;
Part I - Microsoft Windows NetMeeting
Windows XP
Start NetMeeting
Start->Run->conf






Tools -> Option -> Advence
网关守卫设置

Part II - ohphone
For example:
netkiller
neo@machine1:~$ ohphone -l -a -u neo
neo
netkiller@machine2:~$ ohphone -u netkiller neo
上一页下一页
encode to Macromedia Flash format 起始页 Asterisk (OpenSource Linux PBX that
supports both SIP and H.323)

上一页第 55 章 Voice over IP 下一页
http://www.asteriskpbx.com/
netkiller@shenzhen:~$ apt-cache search Asterisk

asterisk-app-dtmftotext - Text entry application for Asterisk
asterisk-app-fax - Softfax application for Asterisk
asterisk-app-misdn-v110 - V.110 protocol handler for Asterisk
asterisk-chan-capi - Common ISDN API 2.0 implementation for Asterisk
asterisk-chan-misdn - mISDN support for Asterisk
asterisk-oh323 - oh323 channel driver for Asterisk
asterisk-prompt-de - German voice prompts for the Asterisk PBX
asterisk-prompt-es-co - Colombian Spanish voice prompts for Asterisk
asterisk-prompt-fr - French voice prompts for Asterisk
asterisk-prompt-it - Italian voice prompts for the Asterisk PBX
asterisk-prompt-se - Swedish voice prompts for Asterisk
asterisk-rate-engine - Asterisk least cost routing module
asterisk-sounds-extra - Additional sound files for the Asterisk PBX
destar - management interface for the Asterisk PBX
gastman - GUI tool for Asterisk administration and monitoring
iaxmodem - software modem with IAX2 connectivity
kiax - IAX VoIP softphone
libiax-dev - implementation of the Inter-Asterisk eXchange protocol (devel)
libiax0 - implementation of the Inter-Asterisk eXchange protocol
op-panel - switchboard type application for the Asterisk PBX
asterisk-prompt-es - Spanish prompts for the Asterisk PBX
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled
version
asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium
version
asterisk-config - config files for asterisk
asterisk-dev - development files for asterisk
asterisk-doc - documentation for asterisk
asterisk-h323 - asterisk H.323 VoIP channel
asterisk-sounds-main - sound files for asterisk
asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk

第 55 章 Voice over IP 起始页 OpenSER SIP Server
OpenSER SIP Server
OpenSER SIP Server

上一页第 55 章 Voice over IP 下一页
OpenSER SIP Server

http://www.openser.org/
netkiller@shenzhen:~$ apt-cache search openser

openser - very fast and configurable SIP proxy
openser-cpl-module - CPL module (CPL interpreter engine) for OpenSER
openser-dbg - very fast and configurable SIP proxy [debug symbols]
openser-jabber-module - Jabber module (SIP-Jabber message translation) for OpenSER
openser-mysql-module - MySQL database connectivity module for OpenSER
openser-postgres-module - PostgreSQL database connectivity module for OpenSER
openser-radius-modules - radius modules for OpenSER
openser-unixodbc-module - unixODBC database connectivity module for OpenSER

Asterisk (OpenSource Linux PBX that 第 56 章 Open Source Distributed
起始页
supports both SIP and H.323) Computing
第 56 章 Open Source Distributed Computing

上一页下一页

目录

rc.local

下载Boinc
$ wget http://boinc.berkeley.edu/dl/boinc_5.6.4_i686-pc-linux-gnu.sh
netkiller@Linux-server:~$ wget http://boinc.berkeley.edu/dl/boinc_5.6.4_i686-pc-

linux-gnu.sh
--11:02:36-- http://boinc.berkeley.edu/dl/boinc_5.6.4_i686-pc-linux-gnu.sh
=> `boinc_5.6.4_i686-pc-linux-gnu.sh'
Resolving boinc.berkeley.edu... 128.32.18.189
Connecting to boinc.berkeley.edu|128.32.18.189|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,205,541 (3.1M) [application/x-sh]
100%[====================================>] 3,205,541 8.95K/s ETA 00:00
11:08:45 (8.53 KB/s) - `boinc_5.6.4_i686-pc-linux-gnu.sh' saved [3205541/3205541]
$ chmod +x boinc_5.6.4_i686-pc-linux-gnu.sh$ ./boinc_5.6.4_i686-pc-linux-gnu.sh
netkiller@Linux-server:~$ chmod +x boinc_5.6.4_i686-pc-linux-gnu.sh

netkiller@Linux-server:~$ ./boinc_5.6.4_i686-pc-linux-gnu.sh
use /home/netkiller/BOINC/run_manager to start BOINC
netkiller@Linux-server:~$ ls
BOINC boinc_5.6.4_i686-pc-linux-gnu.sh public_html www
netkiller@Linux-server:~$ cd BOINC/
netkiller@Linux-server:~/BOINC$ ls
binstall.sh boincmgr boincmgr.8x8.png run_client
boinc boincmgr.16x16.png ca-bundle.crt run_manager
boinc_cmd boincmgr.32x32.png locale

netkiller@Linux-server:~/BOINC$
添加计算项目
$ ./boinc --attach_project http://setiathome.berkeley.edu/

3d996959b1f88df43048f87c3c0c999f
$ ./boinc --attach_project www.worldcommunitygrid.org
dad152cf8f8fbdc52b04d4eeaa43e1ca
$ ./boinc --attach_project http://climateprediction.net/
4070a202cd5a559ec9d044cffc156fa4
$ ./boinc --attach_project http://einstein.phys.uwm.edu/
f9d5ee6d433a6949599f91dd7d9ceb8e
$ ./boinc --attach_project http://milkyway.cs.rpi.edu/milkyway/
f2fa96fb4f72df925cba92c34031768d
$ ./boinc --attach_project http://boinc.iaik.tugraz.at/sha1_coll_search/
0017d38d9c4a944caa8dad0b82b3f6a6
运行Boinc
./boinc -daemon -no_gui_rpc
上一页下一页
OpenSER SIP Server 起始页 ubuntu apt-get 安装

上一页第 56 章 Open Source Distributed Computing 下一页
netkiller@shenzhen:~/BOINC$ apt-cache search boinc

boinc-app-seti - SETI@home application for the BOINC client
boinc-client - core client for the BOINC distributed computing infrastructure
boinc-dev - development files to build applications for BOINC projects
boinc-manager - GUI to control and monitor the BOINC core client
kboincspy - monitoring utility for the BOINC client
kboincspy-dev - development files for KBoincSpy plugins
netkiller@shenzhen:~/BOINC$
安装
netkiller@shenzhen:~/BOINC$ sudo apt-get install boinc-client
拷贝现有的account文件
netkiller@shenzhen:~/BOINC$ cp account_* /var/lib/boinc-client/
重新启动
netkiller@shenzhen:~/BOINC$ /etc/init.d/boinc-client restart

第 56 章 Open Source Distributed rc.local
起始页
Computing
rc.local
rc.local
上一页第 56 章 Open Source Distributed Computing 下一页
rc.local
/home/neo/BOINC/run_client --daemon

ubuntu apt-get 安装起始页附录 A. 附录
附录 A. 附录
附录 A. 附录
上一页下一页
附录 A. 附录
目录
参考文档
Linux 下载排名
参考文档
http://www.faqs.org/docs/Linux-HOWTO/Bash-Prog-Intro-HOWTO.html
http://xiaowang.net/bgb-cn/index.html
上一页下一页
rc.local 起始页 Linux 下载排名
http://netkiller.sourceforge.net/linux/apa.html[21/5/2010 21:47:47]
Linux 下载排名
Linux 下载排名
上一页附录 A. 附录下一页
Linux 下载排名
http://distrowatch.com/

附录 A. 附录起始页附录 B. 历史记录
http://netkiller.sourceforge.net/linux/apas02.html[21/5/2010 21:47:48]
附录 B. 历史记录
上一页
修订历史
修订 1.0 2007-1-12
● 开始
● ubuntu linux
修订 1.1 2007-5-10
Application (Zope)
修订 1.2 2007-5-15
Memcached
修订 1.3 2007-5-18
Jboss
修订 1.4 2007-5-21
php memcache,lighttpd script
修订 1.5 2007-5-22
rsync
修订 1.6 2007-5-24
openfiler
修订 1.7 2007-5-25
openfiler, php sql server
修订 1.8 2007-5-28
openfiler, zend optimizer
http://netkiller.sourceforge.net/linux/apb.html（第 1／4 页）[21/5/2010 21:47:51]

修订 1.9 2007-6-9
ip tunnel, memcached script, lighttpd script
修订 1.10 2007-11-13
栏目重新排版，增加很多新内容
修订 1.11 2008-1-17
awstats, webalizer
修订 1.12 2008-1-22
TUTOS, TRAC
修订 1.2 2008-3-21
栏目重新排版，增加很多新内容
修订 1.2.1 2008-3-21
Shorewall
修订 1.2.2 2008-6-20
FreeRADIUS
修订 1.2.3 2008-10-7
MySQL Replication
修订 1.2.4 2008-10-8
MySQL Cluster
修订 1.2.5 2008-10-9
modi: Openldap
修订 1.2.6 2008-10-21

inotify-tools
修订 1.2.7 2008-10-31
modify rsync chapter
add csync2
修订 1.2.8 2008-12-3
modified system chapter
add nagios, and remove developer chapter
修订 1.2.9 2008-12-16
the system chapter was modified
修订 1.2.10 2008-12-22
added loop devices
added ACL - Access Control List under chapter security.
added ncftp, ncftpget, ncftpput
修订 1.3.0 2009-3-10
bash
added if, for, while, until
and function
修订 1.3.1 2009-3-22
vsftpd
修订 1.3.2 2009-4-5

to move chapter database to new docbook.
修订 1.3.2 2009-4-15
Stunnel.
修订 1.3.3 2009-5-7
增加很多新内容,章节重新排版。
修订 1.3.4 2009-10-27
PPTPD
上一页
Linux 下载排名起始页

Netkiller Linux Advanced 手札

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Netkiller Linux Advanced 手札

Uploaded by

Copyright:

Available Formats

Netkiller Linux Advanced 手札

Netkiller Linux Advanced 手札

Netkiller Linux Advanced 手札

Mr. Neo Chan, 陈景峰

文档最近一次更新于 Tue May 18 03:11:53 UTC 2010

http://netkiller.sourceforge.net/linux/index.html（第 1／15 页）[21/5/2010 21:40:07]

Netkiller Linux Basics 手札 | Netkiller Linux Advanced 手札 | Netkiller CentOS 手札 | Netkiller

Netkiller Architect 手札 | Netkiller Version 手札 | Netkiller Developer 手札 | Netkiller Security 手

Netkiller Cisco IOS 手札 | Netkiller Mail System 手札 | Netkiller Document 手札

http://netkiller.sourceforge.net/linux/index.html（第 2／15 页）[21/5/2010 21:40:07]

http://netkiller.sourceforge.net/linux/index.html（第 3／15 页）[21/5/2010 21:40:07]

http://netkiller.sourceforge.net/linux/index.html（第 4／15 页）[21/5/2010 21:40:07]

http://netkiller.sourceforge.net/linux/index.html（第 5／15 页）[21/5/2010 21:40:07]

monitor mysql tcp package

http://netkiller.sourceforge.net/linux/index.html（第 6／15 页）[21/5/2010 21:40:07]

OpenVPN GUI for Windows

http://netkiller.sourceforge.net/linux/index.html（第 7／15 页）[21/5/2010 21:40:07]

XAMPP for Linux

http://netkiller.sourceforge.net/linux/index.html（第 8／15 页）[21/5/2010 21:40:07]

http://netkiller.sourceforge.net/linux/index.html（第 9／15 页）[21/5/2010 21:40:08]

http://netkiller.sourceforge.net/linux/index.html（第 10／15 页）[21/5/2010 21:40:08]

install with aptitude

http://netkiller.sourceforge.net/linux/index.html（第 11／15 页）[21/5/2010 21:40:08]

http://netkiller.sourceforge.net/linux/index.html（第 12／15 页）[21/5/2010 21:40:08]

http://netkiller.sourceforge.net/linux/index.html（第 13／15 页）[21/5/2010 21:40:08]

1.1. Linux partition

http://netkiller.sourceforge.net/linux/index.html（第 14／15 页）[21/5/2010 21:40:08]

http://netkiller.sourceforge.net/linux/index.html（第 15／15 页）[21/5/2010 21:40:08]

http://netkiller.sourceforge.net/linux/pr01.html（第 1／2 页）[21/5/2010 21:40:10]

http://netkiller.sourceforge.net/linux/pr01.html（第 2／2 页）[21/5/2010 21:40:10]

上一页 上一级 下一页

上一页 上一级 下一页

陈景峰 (Neo chen) IT民工，昵称：netkiller, UNIX like爱好者,Senior PHP Software Engineer, 业

《PostgreSQL实用实例参考》，《Postfix 完整解决方案》，《Netkiller Linux 手札》的作者

2008终于找到英文学习方法，， 《Netkiller Developer 手札》，《Netkiller Document 手札》

2008-8-8 08:08:08 结婚,后全家迁居湖南省常德市

2009《Netkiller Database 手札》,年底拿到C1驾照

上一页 上一级 下一页

http://netkiller.sourceforge.net/linux/pr01s04.html（第 1／2 页）[21/5/2010 21:40:17]

读者对象 起始页 联系作者

http://netkiller.sourceforge.net/linux/pr01s04.html（第 2／2 页）[21/5/2010 21:40:17]

Tel: +86 755 2981-2080

Callsign: BG7NYT QTH: Shenzhen, China

如果这篇文章对你有所帮助,请寄给我一张QSL卡片,qrz.cn or qrz.com or hamcall.net

Personal Amateur Radiostations of P.R.China

ZONE CQ24 ITU44 ShenZhen, China

Best Regards, VY 73! OP. BG7NYT

http://netkiller.sourceforge.net/linux/pr01s05.html（第 1／2 页）[21/5/2010 21:40:18]

上一页 上一级 下一页

http://netkiller.sourceforge.net/linux/pr01s05.html（第 2／2 页）[21/5/2010 21:40:18]

Open Source and License

Open Source and License

Linux 中有许多BSD代码，但BSD却不能移植Linux 代码到BSD中，这是因为GPL License。

[root@localhost ~]# lsb_release -a

No LSB modules are available.

上一页 上一级 下一页

表 1.1. Linux partition

上一页 上一级 下一页

2. Ubuntu Server Edition

第 2 章 Ubuntu Server Edition

第 2 章 Ubuntu Server Edition

Netkiller Ubuntu Linux 手札

上一页 上一级 下一页

第 3 章 CentOS - The Community ENTerprise Operating System

上一页上一级下一页

上一页上一级下一页

2008终于找到英文学习方法，，《Netkiller Developer 手札》，《Netkiller Document 手札》

上一页上一级下一页

读者对象起始页联系作者

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页

上一页上一级下一页